Date: Thu, 19 Dec 2013 20:46:46 +0100 From: Remko Lodder <remko@FreeBSD.org> To: Jun Kuriyama <kuriyama@FreeBSD.org> Cc: svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org Subject: Re: svn commit: r336840 - head/security/vuxml Message-ID: <96ED3AB2-C214-4D66-A9F9-0AF77CD48A8D@FreeBSD.org> In-Reply-To: <201312181522.rBIFMx07048742@svn.freebsd.org> References: <201312181522.rBIFMx07048742@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_E3789882-5FBA-4051-A556-8B90FD13C281 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On 18 Dec 2013, at 16:22, Jun Kuriyama <kuriyama@FreeBSD.org> wrote: > Author: kuriyama > Date: Wed Dec 18 15:22:59 2013 > New Revision: 336840 > URL: http://svnweb.freebsd.org/changeset/ports/336840 >=20 > Log: > Add about gnupg-1.4.16. Hi Jun, The alignment looks a bit weird, please look at my inline comments. >=20 > Modified: > head/security/vuxml/vuln.xml >=20 > Modified: head/security/vuxml/vuln.xml > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > --- head/security/vuxml/vuln.xml Wed Dec 18 15:14:55 2013 = (r336839) > +++ head/security/vuxml/vuln.xml Wed Dec 18 15:22:59 2013 = (r336840) > @@ -51,6 +51,51 @@ Note: Please add new entries to the beg >=20 > --> > <vuxml xmlns=3D"http://www.vuxml.org/apps/vuxml-1">; > + <vuln vid=3D"2e5715f8-67f7-11e3-9811-b499baab0cbe"> > + <topic>gnupg -- RSA Key Extraction via Low-Bandwidth Acoustic = Cryptanalysis attack</topic> > + <affects> > + <package> > + <name>gnupg</name> > + <range><lt>1.4.16</lt></range> > + </package> > + </affects> > + <description> > + <body xmlns=3D"http://www.w3.org/1999/xhtml">; > + <p>Werner Koch reports:</p> > + <blockquote = cite=3D"http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000337.html= "> > + <p>CVE-2013-4576 has been assigned to this security bug.</p> > + > + <p>The paper describes two attacks. The first attack allows > +to distinguish keys: An attacker is able to notice which key is > +currently used for decryption. This is in general not a problem but > +may be used to reveal the information that a message, encrypted to a > +commonly not used key, has been received by the targeted machine. We > +do not have a software solution to mitigate this attack.</p> ^^ it seems that there is no indentation here. It should jump in two = spaces from the <p> stanza, where 8 spaces becomes a tab. Can you have a look at that? Thnx! Remko > + > + <p>The second attack is more serious. It is an adaptive > +chosen ciphertext attack to reveal the private key. A possible > +scenario is that the attacker places a sensor (for example a standard > +smartphone) in the vicinity of the targeted machine. That machine is > +assumed to do unattended RSA decryption of received mails, for = example > +by using a mail client which speeds up browsing by opportunistically > +decrypting mails expected to be read soon. While listening to the > +acoustic emanations of the targeted machine, the smartphone will send > +new encrypted messages to that machine and re-construct the private > +key bit by bit. A 4096 bit RSA key used on a laptop can be revealed > +within an hour.</p> > + </blockquote> > + </body> > + </description> > + <references> > + <cvename>CVE-2013-4576</cvename> > + = <url>http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000337.html</u= rl> > + </references> > + <dates> > + <discovery>2013-12-18</discovery> > + <entry>2013-12-18</entry> > + </dates> > + </vuln> > + > <vuln vid=3D"0c39bafc-6771-11e3-868f-0025905a4771"> > <topic>asterisk -- multiple vulnerabilities</topic> > <affects> > _______________________________________________ > svn-ports-all@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/svn-ports-all > To unsubscribe, send any mail to = "svn-ports-all-unsubscribe@freebsd.org" --=20 /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News --Apple-Mail=_E3789882-5FBA-4051-A556-8B90FD13C281 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJSs00mAAoJEKjD27JZ84ywjSEP/1KpGzbJyhy72fqKTrPtJX56 4tFqGJuoHa+g4BRXL8+YsWeo4BcEdTgF9h+wfcsmsnBDfgSNg4TanGja3XDswWvX etGZeAXA8AQpvRPFceZUlgHAp1t8MfraxeetLM0zxzSyOSGP9ygolp2zcpcTDHWE pNHHLCw6KIJGVupndNjsLkGHfyX0hqPPV0gnYFeHCq1j0a7pg1tYBFdSGIM0zEAw bSkW8CEomiQtEkRrZqktzHFxhZ/vqq0B9NudyJBu8x4a2Lq5VC0OnxFwckZGPQoF dtU05+8kkTC4xFoZmzwbdl1FONnas9KMQ7gFW1OPAZ0lihSZr5QvQXQKP5jUdUQc 6pT0AQc+hjSmTpXz43IztUajZiX2244VwJLv9qlJ7tQKm+TH9cGmO8aJQiH7rl/l qM4t70VoWEgIJ67wAnL/NFe+mGIzNY429rao07efpYHeB+PmZo+vUkX8KCflLrtr J4EHcKYEOpx63Y+3C0qiCFjWL7D28NFyZyKU1r//n7dMTjTg0mfmN+M0XRoit79h xEEKMh/zbkVF7nEyNht34Pwe87j7Ju1Q20CZ59EsvNiA2fMzPMX6BXTCk8cCHkTy JRsEsQcqkzOfTeDz5ToghEWbgsNPNP+18XKjBMXjAf2K/U24FuptdJtyTgZaCZF/ 97qQcXtW5L8jwsODQgc8 =5j/N -----END PGP SIGNATURE----- --Apple-Mail=_E3789882-5FBA-4051-A556-8B90FD13C281--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?96ED3AB2-C214-4D66-A9F9-0AF77CD48A8D>