Hi Chris, Christopher Allan Webber <cweb...@dustycloud.org> writes:
> Hello all, > > New security release of libgcrypt: > >> Hello! >> >> The GNU project is pleased to announce the availability of Libgcrypt >> version 1.6.5. This is a security fix release to mitigate a new side >> channel attack. >> >> Noteworthy changes in version 1.6.5 >> =================================== >> >> * Mitigate side-channel attack on ECDH with Weierstrass curves >> [CVE-2015-7511]. See http://www.cs.tau.ac.IL/~tromer/ecdh/ for >> details. >> >> * Fix build problem on Solaris. > > Here's a patch. It seems to build fine. > > From f45b192c0e648fea95a98d681d8ecdff3dc15bdb Mon Sep 17 00:00:00 2001 > From: Christopher Allan Webber <cweb...@dustycloud.org> > Date: Tue, 9 Feb 2016 11:49:06 -0800 > Subject: [PATCH] gnu: libgcrypt: Update to 1.6.5. > > * gnu/packages/gnupg.scm (libgcrypt): Update to 1.6.5. Thank you! The summary line should include the CVE, like this: gnu: libgcrypt: Update to 1.6.5 [fixes CVE-2015-7511]. Alas, this will require at least 7000 rebuilds. After the current 'security-updates' branch is merged, this should go on the next 'security-updates' branch, together with more fixes for graphite2 and libsndfile. Mark
