Ubuntu has issued an advisory today (April 1): http://www.ubuntu.com/usn/usn-2555-1/ We previously fixed this for gnupg in Bug 15441, but it turns out libgcrypt 1.5 is affected after all. It's a minor issue, so I've checked the patch into SVN, and it will be included in the next future update. Reproducible: Steps to Reproduce:
Submitting this update now to get it in before Mageia 4 EOL. This can be tested with gnupg2 in Bug 15483. Advisory: ======================== Updated libgcrypt packages fix security vulnerability: Daniel Genkin, Adi Shamir, and Eran Tromer discovered that Libgcrypt was susceptible to an attack via physical side channels. A local attacker could use this attack to possibly recover private keys (CVE-2015-0837). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0837 http://www.ubuntu.com/usn/usn-2555-1/ ======================== Updated packages in core/updates_testing: ======================== libgcrypt11-1.5.4-1.2.mga4 libgcrypt-devel-1.5.4-1.2.mga4 from libgcrypt-1.5.4-1.2.mga4.src.rpm
Assignee: bugsquad => qa-bugsWhiteboard: (none) => has_procedure
Testing complete Mageia 4 i586 using the procedure.
Whiteboard: has_procedure => has_procedure MGA4-32-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK => has_procedure advisory MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0360.html
Status: NEW => RESOLVEDResolution: (none) => FIXED