Bug#780121: unblock: libgcrypt20/1.6.3-2
Control: tags -1 d-i
On 2015-03-09 15:22, Andreas Metzler wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
>
> Hello,
>
> Please unblock package libgcrypt20. This is bugfix only stable
> release, taking care of two side-channel vulnerabilities (CVE-2015-0837
> and CVE-2014-3591):
> Noteworthy changes in version 1.6.3 (2015-02-27) [C20/A0/R3]
> ------------------------------------------------
>
> * Use ciphertext blinding for Elgamal decryption [CVE-2014-3591].
> See http://www.cs.tau.ac.il/~tromer/radioexp/ for details.
>
> * Fixed data-dependent timing variations in modular exponentiation
> [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks
> are Practical].
>
> * Improved asm support for older toolchains.
>
> Find attached the filtered debdiff (| filterdiff -x '*/build-aux/*' -x
> '*/Makefile.in' -x '*/configure' -x '*/gcrypt.info*' -x
> '*/aclocal.m4') versus testing.
>
> thanks, cu Andreas
>
> unblock libgcrypt20/1.6.3-2
>
It is a bit noiser than I liked (especially without your filterdiff),
but ack from RT, CC'ing KiBi for a d-i ack.
Thanks,
~Niels
Reply to: