Upstream has released version 1.4.16 today (December 18), fixing a security issue: http://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html Oden has committed it to SVN and requested a freeze push for Cauldron. Mageia 3 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Debian has issued an advisory for this today (December 18): http://lists.debian.org/debian-security-announce/2013/msg00235.html
URL: (none) => http://lwn.net/Vulnerabilities/577552/
gnupg-1.4.16-1.mga4 uploaded for Cauldron.
Version: Cauldron => 3Whiteboard: MGA3TOO => (none)
fixed with gnupg-1.4.14-1.2.mga3
CC: (none) => oe
Thanks Oden! Advisory: ======================== Updated gnupg package fixes security vulnerability: Genkin, Shamir and Tromer discovered that RSA key material could be extracted by using the sound generated by the computer during the decryption of some chosen ciphertexts (CVE-2013-4576). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4576 http://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html http://www.debian.org/security/2013/dsa-2821 ======================== Updated packages in core/updates_testing: ======================== gnupg-1.4.14-1.2.mga3 from gnupg-1.4.14-1.2.mga3.src.rpm
CC: (none) => boklmAssignee: boklm => qa-bugs
Procedure: https://bugs.mageia.org/show_bug.cgi?id=11306#c3 No PoC, it involves sending thousands of encrypted messages which need to be auto decrypted and recording audio to process.
Testing complete mga3 64
Whiteboard: (none) => has_procedure mga3-64-ok
Testing complete mga3 32
Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok
Validating. Advisory uploaded. Could sysadmin please push from 3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0382.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
CC: boklm => (none)