Debian has issued an advisory today (February 12): https://lists.debian.org/debian-security-announce/2016/msg00044.html The DSA will be posted here: https://www.debian.org/security/2016/dsa-3474 Cauldron updated to 1.6.5 which fixes the issue. Patched package uploaded for Mageia 5. Advisory: ======================== Updated libgcrypt packages fix security vulnerability: Daniel Genkin, Lev Pachmanov, Itamar Pipman and Eran Tromer discovered that the ECDH secret decryption keys in applications using the libgcrypt20 library could be leaked via a side-channel attack (CVE-2015-7511). The libgcrypt package was also updated to include countermeasures against Lenstra's fault attack on RSA Chinese Remainder Theorem optimization in RSA. A signature verification step was updated to protect against leaks of private keys in case of hardware faults or implementation errors in numeric libraries. This issue is equivalent to the CVE-2015-5738 issue in gnupg. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7511 http://lists.opensuse.org/opensuse-updates/2015-09/msg00033.html https://www.debian.org/security/2016/dsa-3474 https://bugs.mageia.org/show_bug.cgi?id=16806 https://bugs.mageia.org/show_bug.cgi?id=17742 ======================== Updated packages in core/updates_testing: ======================== libgcrypt11-1.5.4-5.2.mga5 libgcrypt-devel-1.5.4-5.2.mga5 from libgcrypt-1.5.4-5.2.mga5.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=15441#c2 Use gpg2 (gnupg2) to test libgcrypt.
Blocks: (none) => 16806Whiteboard: (none) => has_procedure
In VirtualBox, M5, KDE, 32-bit Package(s) under test: libgcrypt11 kgpg default install of libgcrypt11 & kgpg [root@localhost wilcal]# urpmi libgcrypt11 Package libgcrypt11-1.5.3-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi kgpg Package kgpg-4.10.5-1.1.mga3.i586 is already installed gpg --gen-key ( works, wiggle the mouse, takes about a min ) Real name: wilcal e-mail: somebody@gmail.com Comment: testing passphrase: testing gpg2 --list-keys ( works ) gpg2 -e -r wilcal test.txt ( works, generates test.txt.gpg ) erase test.txt gpg2 test.txt.gpg ( works, regenerates test.txt ) libreoffice --writer exports an encrypted pdf file gpg2 --delete-secret-keys wilcal ( works ) gpg2 --delete-key wilcal ( works ) gpg2 --list-keys ( works, no keys listed ) install libgcrypt11 & kgpg from updates_testing [root@localhost wilcal]# urpmi libgcrypt11 Package libgcrypt11-1.5.4-5.2.mga5.i586 is already installed [root@localhost wilcal]# urpmi kgpg Package kgpg-4.14.3-1.mga5.i586 is already installed gpg --gen-key ( works, wiggle the mouse, takes about a min ) Real name: wilcal e-mail: somebody@gmail.com Comment: testing passphrase: testing gpg2 --list-keys ( works ) gpg2 -e -r wilcal test.txt ( works, generates test.txt.gpg ) erase test.txt gpg2 test.txt.gpg ( works, regenerates test.txt ) libreoffice --writer exports an encrypted pdf file gpg2 --delete-secret-keys wilcal ( works ) gpg2 --delete-key wilcal ( works ) gpg2 --list-keys ( works, no keys listed )
CC: (none) => wilcal.int
Correction: In VirtualBox, M5, KDE, 32-bit default install of libgcrypt11 & kgpg [root@localhost wilcal]# urpmi libgcrypt11 Package libgcrypt11-1.5.3-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi kgpg Package kgpg-4.10.5-1.1.mga3.i586 is already installed s/b default install of libgcrypt11 & kgpg [root@localhost wilcal]# urpmi libgcrypt11 Package libgcrypt11-1.5.4-5.mga5.i586 is already installed [root@localhost wilcal]# urpmi kgpg Package kgpg-4.14.3-1.mga5.i586 is already installed
In VirtualBox, M5, KDE, 64-bit Package(s) under test: lib64gcrypt11 kgpg default install of lib64gcrypt11 & kgpg [root@localhost wilcal]# urpmi lib64gcrypt11 Package lib64gcrypt11-1.5.4-5.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi kgpg Package kgpg-4.14.3-1.mga5.x86_64 is already installed gpg --gen-key ( works, wiggle the mouse, takes about a min ) Real name: wilcal e-mail: somebody@gmail.com Comment: testing passphrase: testing gpg2 --list-keys ( works ) gpg2 -e -r wilcal test.txt ( works, generates test.txt.gpg ) erase test.txt gpg2 test.txt.gpg ( works, regenerates test.txt ) libreoffice --writer exports an encrypted pdf file gpg2 --delete-secret-keys wilcal ( works ) gpg2 --delete-key wilcal ( works ) gpg2 --list-keys ( works, no keys listed ) install lib64gcrypt11 & kgpg from updates_testing [root@localhost wilcal]# urpmi lib64gcrypt11 Package lib64gcrypt11-1.5.4-5.2.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi kgpg Package kgpg-4.14.3-1.mga5.x86_64 is already installed gpg --gen-key ( works, wiggle the mouse, takes about a min ) Real name: wilcal e-mail: somebody@gmail.com Comment: testing passphrase: testing gpg2 --list-keys ( works ) gpg2 -e -r wilcal test.txt ( works, generates test.txt.gpg ) erase test.txt gpg2 test.txt.gpg ( works, regenerates test.txt ) libreoffice --writer exports an encrypted pdf file gpg2 --delete-secret-keys wilcal ( works ) gpg2 --delete-key wilcal ( works ) gpg2 --list-keys ( works, no keys listed )
Look good enough David?
Yes
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure => has_procedure MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0072.html
Status: NEW => RESOLVEDResolution: (none) => FIXED