GnuPG has released new libgcrypt and gnupg versions today (August 17): https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html The CVE was incorrect in the announcement: http://openwall.com/lists/oss-security/2016/08/17/8 For Mageia 5, we aren't using libgcrypt 1.7.x and we are still on gnupg 1.4.19, and I'm not sure we want all of the changes in 1.4.20: https://lists.gnupg.org/pipermail/gnupg-announce/2015q4/000382.html So ideally we'd patch both of those. Freeze push requested already for Cauldron (should be built soon).
Debian has issued advisories for this on August 17: https://www.debian.org/security/2016/dsa-3650 https://www.debian.org/security/2016/dsa-3649 Patched packages uploaded for Mageia 5. Testing procedures: https://bugs.mageia.org/show_bug.cgi?id=15441#c2 Advisory: ======================== Updated gnupg and libgcrypt packages fixes security vulnerability: Felix Doerre and Vladimir Klebanov from the Karlsruhe Institute of Technology discovered a flaw in the mixing functions of GnuPG's random number generator. An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output (CVE-2016-6313). The gnupg package has been patched to correct these issues. GnuPG2 is vulnerable to these issues through the libgcrypt library. The libgcrypt package has also been patched to correct this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6313 https://www.debian.org/security/2016/dsa-3649 https://www.debian.org/security/2016/dsa-3650 ======================== Updated packages in core/updates_testing: ======================== gnupg-1.4.19-1.2.mga5 libgcrypt11-1.5.4-5.3.mga5 libgcrypt-devel-1.5.4-5.3.mga5 from SRPMS: gnupg-1.4.19-1.2.mga5.src.rpm libgcrypt-1.5.4-5.3.mga5.src.rpm
URL: (none) => http://lwn.net/Vulnerabilities/697568/Assignee: bugsquad => qa-bugsSummary: libgcrypt, gnupg new security issue CVE-2016-6313 => gnupg, libgcrypt new security issue CVE-2016-6313
Whiteboard: (none) => has_procedure
Tested both gpg and gpg2 using the first half of Claire's procedure here: https://bugs.mageia.org/show_bug.cgi?id=11306#c3 Testing complete Mageia 5 i586 and x86_64.
Whiteboard: has_procedure => has_procedure MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0292.html
Status: NEW => RESOLVEDResolution: (none) => FIXED