From owner-svn-ports-all@FreeBSD.ORG Sat Aug 17 07:56:13 2013
Return-Path: <owner-svn-ports-all@FreeBSD.ORG>
Delivered-To: svn-ports-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
(No client certificate requested)
by hub.freebsd.org (Postfix) with ESMTP id AA613DBA;
Sat, 17 Aug 2013 07:56:13 +0000 (UTC) (envelope-from bf@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
[IPv6:2001:1900:2254:2068::e6a:0])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mx1.freebsd.org (Postfix) with ESMTPS id 88F552AC5;
Sat, 17 Aug 2013 07:56:13 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r7H7uDnY004916;
Sat, 17 Aug 2013 07:56:13 GMT (envelope-from bf@svn.freebsd.org)
Received: (from bf@localhost)
by svn.freebsd.org (8.14.7/8.14.5/Submit) id r7H7uCEF004913;
Sat, 17 Aug 2013 07:56:12 GMT (envelope-from bf@svn.freebsd.org)
Message-Id: <201308170756.r7H7uCEF004913@svn.freebsd.org>
From: Brendan Fabeny <bf@FreeBSD.org>
Date: Sat, 17 Aug 2013 07:56:12 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
svn-ports-head@freebsd.org
Subject: svn commit: r324830 - in head/security: libgcrypt vuxml
X-SVN-Group: ports-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-ports-all>,
<mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
<mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Aug 2013 07:56:13 -0000
Author: bf
Date: Sat Aug 17 07:56:12 2013
New Revision: 324830
URL: http://svnweb.freebsd.org/changeset/ports/324830
Log:
Update security/libgcrypt to 1.5.3 [1], and document the latest gnupg
and libgcrypt vulnerability
PR: 181231
Submitted by: Hirohisa Yamaguchi (maintainer) [1]
Security: http://www.vuxml.org/freebsd/689c2bf7-0701-11e3-9a25-002590860428.html
Modified:
head/security/libgcrypt/Makefile
head/security/libgcrypt/distinfo (contents, props changed)
head/security/vuxml/vuln.xml
Modified: head/security/libgcrypt/Makefile
==============================================================================
--- head/security/libgcrypt/Makefile Sat Aug 17 07:44:35 2013 (r324829)
+++ head/security/libgcrypt/Makefile Sat Aug 17 07:56:12 2013 (r324830)
@@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= libgcrypt
-PORTVERSION= 1.5.2
+PORTVERSION= 1.5.3
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_GNUPG}
MASTER_SITE_SUBDIR= ${PORTNAME}
Modified: head/security/libgcrypt/distinfo
==============================================================================
--- head/security/libgcrypt/distinfo Sat Aug 17 07:44:35 2013 (r324829)
+++ head/security/libgcrypt/distinfo Sat Aug 17 07:56:12 2013 (r324830)
@@ -1,2 +1,2 @@
-SHA256 (libgcrypt-1.5.2.tar.bz2) = e41a4339f50294f3c925f2f71aaf2427eb162d2994da91666dfc32621afe963f
-SIZE (libgcrypt-1.5.2.tar.bz2) = 1507418
+SHA256 (libgcrypt-1.5.3.tar.bz2) = bcf5334e7da352c45de6aec5d2084ce9a1d30029ff4a4a5da13f1848874759d1
+SIZE (libgcrypt-1.5.3.tar.bz2) = 1508530
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Sat Aug 17 07:44:35 2013 (r324829)
+++ head/security/vuxml/vuln.xml Sat Aug 17 07:56:12 2013 (r324830)
@@ -51,6 +51,41 @@ Note: Please add new entries to the beg
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="689c2bf7-0701-11e3-9a25-002590860428">
+ <topic>GnuPG and Libgcrypt -- side-channel attack vulnerability</topic>
+ <affects>
+ <package>
+ <name>gnupg</name>
+ <range><lt>1.4.14</lt></range>
+ </package>
+ <package>
+ <name>libgcrypt</name>
+ <range><lt>1.5.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Werner Koch of the GNU project reports:</p>
+ <blockquote cite="http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000329.html">
+ <p>Noteworthy changes in version 1.5.3:</p>
+ <p>Mitigate the Yarom/Falkner flush+reload side-channel attack on RSA secret keys...</p>
+ <p>Note that Libgcrypt is used by GnuPG 2.x and thus this release fixes the above
+ problem. The fix for GnuPG less than 2.0 can be found in the just released GnuPG
+ 1.4.14.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000329.html</url>
+ <url>http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html</url>
+ <url>http://eprint.iacr.org/2013/448</url>
+ </references>
+ <dates>
+ <discovery>2013-07-18</discovery>
+ <entry>2013-08-17</entry>
+ </dates>
+ </vuln>
+
<vuln vid="2b2f6092-0694-11e3-9e8e-000c29f6ae42">
<topic>puppet -- multiple vulnerabilities</topic>
<affects>