Debian Bug report logs -
#938938
libgcrypt20: CVE-2019-13627
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 30 Aug 2019 13:03:01 UTC
Severity: important
Tags: security, upstream
Found in version libgcrypt20/1.8.4-5
Fixed in version libgcrypt20/1.8.5-1
Done: Andreas Metzler <ametzler@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#938938; Package src:libgcrypt20.
(Fri, 30 Aug 2019 13:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>.
(Fri, 30 Aug 2019 13:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libgcrypt20
Version: 1.8.4-5
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for libgcrypt20.
CVE-2019-13627[0]:
ECDSA timing attack
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-13627
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13627
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Andreas Metzler <ametzler@debian.org>:
You have taken responsibility.
(Fri, 30 Aug 2019 17:09:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 30 Aug 2019 17:09:04 GMT) (full text, mbox, link).
Message #10 received at 938938-close@bugs.debian.org (full text, mbox, reply):
Source: libgcrypt20
Source-Version: 1.8.5-1
We believe that the bug you reported is fixed in the latest version of
libgcrypt20, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 938938@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated libgcrypt20 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 30 Aug 2019 18:44:49 +0200
Source: libgcrypt20
Architecture: source
Version: 1.8.5-1
Distribution: experimental
Urgency: medium
Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Closes: 938938
Changes:
libgcrypt20 (1.8.5-1) experimental; urgency=medium
.
* Drop --add-udeb=libgcrypt20-udeb to work around debhelper bug #935577.
* New upstream version.
+ Fixes ECDSA timing attack. CVE-2019-13627 Closes: #938938
+ Drop 30_doc-Fix-library-initialization-examples.patch
+ Ship newly available pkgconfig file in libgcrypt20-dev, moving gpg-error
from Requires to Requires.private in new
13_lessdeps_libgcrypt-pkgconfig.diff.
Checksums-Sha1:
3dbd36d3b8083a868a614b91854bac52b66b082b 2806 libgcrypt20_1.8.5-1.dsc
2d8781e92f88706707a1e76fb628b499ad538a30 2991291 libgcrypt20_1.8.5.orig.tar.bz2
1da6da3b1869eee9b16c5cab61b793cddead9ce8 488 libgcrypt20_1.8.5.orig.tar.bz2.asc
d494d6d8eac79de35bfad30fabfc4422118c28bf 29172 libgcrypt20_1.8.5-1.debian.tar.xz
Checksums-Sha256:
f039cd86cf89c4ce9b9d90ccefaac8332f1813314e29ba7fb4c43b36806202a6 2806 libgcrypt20_1.8.5-1.dsc
3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3 2991291 libgcrypt20_1.8.5.orig.tar.bz2
4b24fda7847cd2b70ab19f4c38004a76bbdac46a1ddccff973ae88ba1296a22d 488 libgcrypt20_1.8.5.orig.tar.bz2.asc
c06fcdc3f6c2e5c86c9dc12430d89e04f392525229b42f967772fd5e5075e4fb 29172 libgcrypt20_1.8.5-1.debian.tar.xz
Files:
64a1332102e43b053c7f5737dab11e28 2806 libs optional libgcrypt20_1.8.5-1.dsc
348cc4601ca34307fc6cd6c945467743 2991291 libs optional libgcrypt20_1.8.5.orig.tar.bz2
76aa31391f630b50ed0869abdf813921 488 libs optional libgcrypt20_1.8.5.orig.tar.bz2.asc
93713a3de656ceeeae2fd59f233f24c6 29172 libs optional libgcrypt20_1.8.5-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAl1pVCgACgkQpU8BhUOC
FIRReQ/7B+5PqmJd33s3jgq4UTpwdNZ4oM1ly1JlnXLavPX6Zvj+u03lOEoUaWls
DFK1f0twJ5R6GiaKZzrzExnbeYaV2qSSwugJ6ew7OgqUDwviq37WbZXIUFxPjzJO
QqnDHXjuqtroPlTMgGZisITf8Sk+Pq/rREygTFQvPbAfrSvh4kgQow9mcyfVEGHC
A26SJZUL1ultPzdXCVF0nmdf+UXwPKT9SOvKYnSVmE03DVU7LDNtljl4WNke8u5j
4zQPM7gFy7c9dSLlvSe+Ghhzi+IEGCIDPn7QwDcr4+sJkiL4xWqNEF3I8/+81ZuK
WLesSXOr/Hp0a3F4KbgSEP4SIL0a4Dv8t++Kl2YnlD32QhHWq0SKzrTPMnBlcoxU
ybTtzlhCH3+euO90kkPFnLkkxlEOj+iO39HEyzGlG7LOyATm6TrzqYxO/qlfMNxZ
bGk9SklwnoAfXzYYPTaHXLsteDMl0AGEi515OUXseD18cG0BxCbJe91I5hOc5oM0
l2rrctwxCrHU+NuAbg8VLbGamitHNCcg7vvRrd225cIbBg8hhgV+1/TQ6A9wGWL9
AwSGS2w9ExOmnjYC908VeLeIB3BKuG4cbfg4G3NxqUSkow/4PEkawfQ5pjc2yUaK
YqkKUEFU8x1UTapnxNRV90uJ6wubIu1eShuDc7oPsBcvfUejBC0=
=kHPk
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Aug 31 09:35:52 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon