This pkg has no registered maintainer, and is committed by various people; so assigning this bug globally.

Assignee: bugsquad => pkg-bugs

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. (CVE-2021-33560)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33560
https://lists.suse.com/pipermail/sle-security-updates/2021-June/009053.html
========================

Updated packages in 7/core/updates_testing:
========================
lib(64)gcrypt20-1.8.5-1.1.mga7
lib(64)gcrypt-devel-1.8.5-1.1.mga7

from SRPM:
libgcrypt-1.8.5-1.1.mga7.src.rpm

Updated packages in 8/core/updates_testing:
========================
lib(64)gcrypt20-1.8.7-1.1.mga8
lib(64)gcrypt-devel-1.8.7-1.1.mga8

from SRPM:
libgcrypt-1.8.7-1.1.mga8.src.rpm

CC: (none) => nicolas.salguero
CVE: (none) => CVE-2021-33560
Status: NEW => ASSIGNED

MGA7-64 Plasma on Lenovo B50
No installation issues.
Created small plain text file.
Followed test as from bug 17742 Comment 4

$ gpg --gen-key   
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: hviaene
etc ......

$ gpg2 -e -r hviaene crypttest.txt 
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2023-06-22
created crypttest.txt.gpg file
renamed crypttest.txt to crypttest.orig.txt 

   
$ gpg2 crypttest.txt.gpg 
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: encrypted with 2048-bit RSA key, ID 4BC90D7AD65CD629, created 2021-06-22
      "hviaene <herman.viaene@hotmail.be>"

recreates the crypttest.txt file with correct contents.

gpg2 --delete-secret-keys hviaene
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
etc ....
works OK

$ gpg2 --delete-key hviaene
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
etc .....
works OK
$ gpg2 --list-keys
gpg: checking the trustdb
gpg: no ultimately trusted keys found

CC: (none) => herman.viaene
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

openSUSE has issued an advisory for this today (June 25):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PPALT4SBPXXPFJVTZN5FQCXMNVH4GXCU/

MG8-64

$ uname -a
Linux localhost.localdomain 5.10.46-desktop-1.mga8 #1 SMP Thu Jun 24 14:33:54 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux


The following 2 packages are going to be installed:

- lib64gcrypt-devel-1.8.7-1.1.mga8.x86_64
- lib64gcrypt20-1.8.7-1.1.mga8.x86_64

I performed the same tests Herman did using my info.

Worked fine.

$ gpg2 --version
gpg (GnuPG) 2.2.27
libgcrypt 1.8.7
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: xxxx
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

CC: (none) => brtians1
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0294.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED