Debian Bug report logs -
#834893
gnupg: CVE-2016-6313: RNG prediction vulnerability
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 20 Aug 2016 12:42:01 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in versions gnupg/1.4.18-7, gnupg/1.4.12-1
Fixed in versions gnupg/1.4.18-7+deb8u2, 1.4.20-6+rm
Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>:
Bug#834893; Package src:gnupg.
(Sat, 20 Aug 2016 12:42:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>.
(Sat, 20 Aug 2016 12:42:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gnupg
Version: 1.4.12-1
Severity: grave
Tags: security upstream patch fixed-upstream
Control: fixed -1 1.4.18-7+deb8u2
Hi,
the following vulnerability was published for gnupg.
CVE-2016-6313[0]:
libgcrypt: PRNG output is predictable
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-6313
Regards,
Salvatore
Marked as fixed in versions gnupg/1.4.18-7+deb8u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sat, 20 Aug 2016 12:42:05 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Daniel Kahn Gillmor <dkg@fifthhorseman.net>
to control@bugs.debian.org.
(Mon, 29 Aug 2016 14:51:09 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#834893.
(Mon, 29 Aug 2016 14:51:24 GMT) (full text, mbox, link).
Message #12 received at 834893-submitter@bugs.debian.org (full text, mbox, reply):
tag 834893 pending
thanks
Hello,
Bug #834893 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=pkg-gnupg/gnupg1.git;a=commitdiff;h=2147d7b
---
commit 2147d7bd53244662453cffc9c25604e2e265a2ca
Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Mon Aug 29 10:04:21 2016 -0400
prepare release
diff --git a/debian/changelog b/debian/changelog
index 586c73e..a0c099f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+gnupg1 (1.4.21-1) unstable; urgency=medium
+
+ * new upstream release (Closes: #834893)
+ * drop already upstreamed patches, refresh remainder
+ * build reproducibly (Closes: #806494)
+ * gnupg1 is Priority: extra (Closes: #834757)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 29 Aug 2016 10:03:15 -0400
+
gnupg1 (1.4.20-7) unstable; urgency=medium
* Release to unstable.
Removed tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 29 Aug 2016 15:45:04 GMT) (full text, mbox, link).
Reply sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
You have taken responsibility.
(Mon, 29 Aug 2016 16:24:16 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 29 Aug 2016 16:24:16 GMT) (full text, mbox, link).
Message #19 received at 834893-close@bugs.debian.org (full text, mbox, reply):
Source: gnupg1
Source-Version: 1.4.21-1
We believe that the bug you reported is fixed in the latest version of
gnupg1, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 834893@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <dkg@fifthhorseman.net> (supplier of updated gnupg1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 29 Aug 2016 10:03:15 -0400
Source: gnupg1
Binary: gnupg1 gnupg1-curl gpgv1 gpgv1.4-udeb gnupg1-l10n
Architecture: source
Version: 1.4.21-1
Distribution: unstable
Urgency: medium
Maintainer: Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>
Changed-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Description:
gnupg1 - GNU privacy guard - a free PGP replacement ("classic" version)
gnupg1-curl - GNU privacy guard - a free PGP replacement (cURL helpers for "cla
gnupg1-l10n - GNU privacy guard "classic" - localization files
gpgv1 - GNU privacy guard - signature verification tool ("classic" versio
gpgv1.4-udeb - minimal signature verification tool (udeb)
Closes: 806494 834757 834893
Changes:
gnupg1 (1.4.21-1) unstable; urgency=medium
.
* new upstream release (Closes: #834893)
* drop already upstreamed patches, refresh remainder
* build reproducibly (Closes: #806494)
* gnupg1 is Priority: extra (Closes: #834757)
Checksums-Sha1:
dd110e2a95020d1f765cdd4d4e7a5f96d5ad5534 2474 gnupg1_1.4.21-1.dsc
e3bdb585026f752ae91360f45c28e76e4a15d338 3689305 gnupg1_1.4.21.orig.tar.bz2
0669b04a617b7d91c1e69d7565748efa6393eba4 32836 gnupg1_1.4.21-1.debian.tar.xz
Checksums-Sha256:
9c0b7672cf68070b715a9694d656bc759b790b4754252046a33b4d06c083e51c 2474 gnupg1_1.4.21-1.dsc
6b47a3100c857dcab3c60e6152e56a997f2c7862c1b8b2b25adf3884a1ae2276 3689305 gnupg1_1.4.21.orig.tar.bz2
20648f68e91b54e7cabbec6cf219be70b6a84c2d8ead4522077a227f1f3717a0 32836 gnupg1_1.4.21-1.debian.tar.xz
Files:
8e76e0b7deded18e37b615db34d1e14a 2474 utils extra gnupg1_1.4.21-1.dsc
9bdeabf3c0f87ff21cb3f9216efdd01d 3689305 utils extra gnupg1_1.4.21.orig.tar.bz2
3ff8c347d12a2d55685beffb8dfe9739 32836 utils extra gnupg1_1.4.21-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9BQJXxErOXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFREIyRTc0RjU2RkNGMkI2NzI5N0I3MzUy
NEVDRkY1QUZGNjgzNzBBFhxka2dAZmlmdGhob3JzZW1hbi5uZXQACgkQJOz/Wv9o
NwqJbw/+LJRypGZjQQdOEb5LXkUolyNmKL90nRf30p4ANFnaXgLsMnyIt2PreU5y
SL/bTfzzlPu0CzRll1/qmyvRVOh4To6UepbmdE9T9fzqduzmXUrl1ijs3pD6lv19
NmXNuYDgyWdyOpbTmYdPPKhUqalEwusFSl7W2+jFCCKcINrM+v7cwVnGqQEt3U7m
onICZVXZLrxbdrT6dgp4JRzvMT/cKdPgsMSJM1oxZ0tHJyflqQKb+WLyFLxPvJgL
NzOha/aCpyAN0L9NlnBgjYMRk5VXWAXS/iCBlBmXAG9rDhYZnQjEaV/OyUOaae2E
AhdC1MdgPJFVqWQDe0sraUAmeKUlsl1Adu/AQCUYLhqZCr/VdNuaTB/LW4dlTg/P
J46cEPuW+1xyceKRWATrV93hkX0eZc1OrhtRNjfFbexNfY4r54jut9g5CLTC7Lbd
57Kmyg9WqUXKUjs2XeU931tHCGrWm1uJxNWNT8GOMqKl+M5hRXfvepBA2wI4Ugy6
uv/6+/bzu9nDzlmfOTjyeqj0YQENRk8jnffCZdfSWzcEirD6QLCzlsVUkMkse9/U
Pg8Rsa0J0m7AyDEPvHAqfNE03jVY7anHU7dr1iyK5phOjaibnC7in3jkQ2TBTlo7
eGixaK0/SY3DDRoOljXwapwMSDhR5DIeUgn55cz5AD/TFbwVI0s=
=kj7I
-----END PGP SIGNATURE-----
Bug reopened
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 29 Aug 2016 16:42:11 GMT) (full text, mbox, link).
No longer marked as fixed in versions gnupg/1.4.18-7+deb8u2 and gnupg1/1.4.21-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 29 Aug 2016 16:42:12 GMT) (full text, mbox, link).
Marked as fixed in versions gnupg/1.4.18-7+deb8u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 29 Aug 2016 16:42:19 GMT) (full text, mbox, link).
Marked as found in versions gnupg/1.4.18-7.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 29 Aug 2016 17:00:24 GMT) (full text, mbox, link).
Reply sent
to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility.
(Mon, 14 Nov 2016 12:54:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 14 Nov 2016 12:54:03 GMT) (full text, mbox, link).
Message #32 received at 834893-done@bugs.debian.org (full text, mbox, reply):
Version: 1.4.20-6+rm
Dear submitter,
as the package gnupg has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/844272
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 29 Dec 2016 09:48:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:17:47 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon