Fedora has issued an advisory on March 1: https://lists.fedoraproject.org/pipermail/package-announce/2015-March/150931.html CVE-2014-3591 is fixed in gnupg 1.4.19 and libgcrypt 1.6.3, as well as in an upstream patch in the libgcrypt 1.5 branch. CVE-2015-0837 is fixed in gnupg 1.4.19 and libgcrypt 1.6.3, but does not affect libgcrypt 1.5 (which we have). Updated and patched packages checked into Mageia 4 and Cauldron SVN. Freeze pushes requested for Cauldron. See also the gnupg 1.4.19 release announcement: https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html Reproducible: Steps to Reproduce:
Blocks: (none) => 14674Whiteboard: (none) => MGA4TOO
Updated packages uploaded for Cauldron. Patched packages uploaded for Mageia 4. Advisory: ======================== Updated gnupg and libgcrypt packages fixes security vulnerabilities: GnuPG before 1.4.19 is vulnerable to a side-channel attack which can potentially lead to an information leak (CVE-2014-3591). GnuPG before 1.4.19 is vulnerable to a side-channel attack on data-dependent timing variations in modular exponentiation, which can potentially lead to an information leak (CVE-2015-0837). The gnupg package has been patched to correct these issues. GnuPG2 is vulnerable to these issues through the libgcrypt library. The issues were fixed in libgcrypt 1.6.3. The libgcrypt package in Mageia, at version 1.5.4, was only vulnerable to the CVE-2014-3591 issue. It has also been patched to correct this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3591 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0837 https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html https://lists.fedoraproject.org/pipermail/package-announce/2015-March/150931.html ======================== Updated packages in core/updates_testing: ======================== gnupg-1.4.16-1.2.mga4 libgcrypt11-1.5.4-1.1.mga4 libgcrypt-devel-1.5.4-1.1.mga4 from SRPMS: gnupg-1.4.16-1.2.mga4.src.rpm libgcrypt-1.5.4-1.1.mga4.src.rpm
Version: Cauldron => 4Blocks: 14674 => (none)Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO => (none)
Testing procedures: https://bugs.mageia.org/show_bug.cgi?id=11306#c3 https://bugs.mageia.org/show_bug.cgi?id=10850#c11 Use the "gpg" command to test gnupg. Replace "gpg" with "gpg2" to test gnupg2. There's also a PoC for CVE-2014-3591, not that I expect anyone to try it :o) http://www.cs.tau.ac.il/~tromer/radioexp/
Whiteboard: (none) => has_procedure
Tested both gpg and gpg2 using the first half of Claire's procedure here: https://bugs.mageia.org/show_bug.cgi?id=11306#c3 I found this neat trick for speeding up the key generation, because it was taking forever and not completing (working over SSH didn't help): http://it.toolbox.com/blogs/lim/how-to-generate-enough-entropy-for-gpg-key-generation-process-on-fedora-linux-38022 Testing complete Mageia 4 i586.
Whiteboard: has_procedure => has_procedure MGA4-32-OK
Testing on Mageia 4x64 real hardware following Claire's procedure mentioned in Comment 2 From current packages : --------------------- gnupg-1.4.16-1.1.mga4 lib64gcrypt11-1.5.4-1.mga4 To updated testing packages : ---------------------------- gnupg-1.4.16-1.2.mga4 lib64gcrypt11-1.5.4-1.1.mga4 With gpg and gpg2 All OK
CC: (none) => olchalWhiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
Advisory uploaded, validating. Please push to 4 core/updates.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK advisoryCC: (none) => remi, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0104.html
Status: NEW => RESOLVEDResolution: (none) => FIXED