From owner-svn-ports-head@FreeBSD.ORG Thu Dec 19 19:46:58 2013 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 89E46687; Thu, 19 Dec 2013 19:46:58 +0000 (UTC) Received: from mail.jr-hosting.nl (mail.jr-hosting.nl [78.47.69.234]) by mx1.freebsd.org (Postfix) with ESMTP id 23D401241; Thu, 19 Dec 2013 19:46:58 +0000 (UTC) Received: from [IPv6:2001:470:d701::c936:e657:8c51:33d3] (unknown [IPv6:2001:470:d701:0:c936:e657:8c51:33d3]) by mail.jr-hosting.nl (Postfix) with ESMTPSA id 849A638B2875; Thu, 19 Dec 2013 20:46:49 +0100 (CET) Content-Type: multipart/signed; boundary="Apple-Mail=_E3789882-5FBA-4051-A556-8B90FD13C281"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\)) Subject: Re: svn commit: r336840 - head/security/vuxml From: Remko Lodder In-Reply-To: <201312181522.rBIFMx07048742@svn.freebsd.org> Date: Thu, 19 Dec 2013 20:46:46 +0100 Message-Id: <96ED3AB2-C214-4D66-A9F9-0AF77CD48A8D@FreeBSD.org> References: <201312181522.rBIFMx07048742@svn.freebsd.org> To: Jun Kuriyama X-Mailer: Apple Mail (2.1827) Cc: svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Dec 2013 19:46:58 -0000 --Apple-Mail=_E3789882-5FBA-4051-A556-8B90FD13C281 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On 18 Dec 2013, at 16:22, Jun Kuriyama wrote: > Author: kuriyama > Date: Wed Dec 18 15:22:59 2013 > New Revision: 336840 > URL: http://svnweb.freebsd.org/changeset/ports/336840 >=20 > Log: > Add about gnupg-1.4.16. Hi Jun, The alignment looks a bit weird, please look at my inline comments. >=20 > Modified: > head/security/vuxml/vuln.xml >=20 > Modified: head/security/vuxml/vuln.xml > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > --- head/security/vuxml/vuln.xml Wed Dec 18 15:14:55 2013 = (r336839) > +++ head/security/vuxml/vuln.xml Wed Dec 18 15:22:59 2013 = (r336840) > @@ -51,6 +51,51 @@ Note: Please add new entries to the beg >=20 > --> > > + > + gnupg -- RSA Key Extraction via Low-Bandwidth Acoustic = Cryptanalysis attack > + > + > + gnupg > + 1.4.16 > + > + > + > + > +

Werner Koch reports:

> +
> +

CVE-2013-4576 has been assigned to this security bug.

> + > +

The paper describes two attacks. The first attack allows > +to distinguish keys: An attacker is able to notice which key is > +currently used for decryption. This is in general not a problem but > +may be used to reveal the information that a message, encrypted to a > +commonly not used key, has been received by the targeted machine. We > +do not have a software solution to mitigate this attack.

^^ it seems that there is no indentation here. It should jump in two = spaces from the

stanza, where 8 spaces becomes a tab. Can you have a look at that? Thnx! Remko > + > +

The second attack is more serious. It is an adaptive > +chosen ciphertext attack to reveal the private key. A possible > +scenario is that the attacker places a sensor (for example a standard > +smartphone) in the vicinity of the targeted machine. That machine is > +assumed to do unattended RSA decryption of received mails, for = example > +by using a mail client which speeds up browsing by opportunistically > +decrypting mails expected to be read soon. While listening to the > +acoustic emanations of the targeted machine, the smartphone will send > +new encrypted messages to that machine and re-construct the private > +key bit by bit. A 4096 bit RSA key used on a laptop can be revealed > +within an hour.

> +
> + > +
> + > + CVE-2013-4576 > + = http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000337.html > + > + > + 2013-12-18 > + 2013-12-18 > + > +
> + > > asterisk -- multiple vulnerabilities > > _______________________________________________ > svn-ports-all@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/svn-ports-all > To unsubscribe, send any mail to = "svn-ports-all-unsubscribe@freebsd.org" --=20 /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News --Apple-Mail=_E3789882-5FBA-4051-A556-8B90FD13C281 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJSs00mAAoJEKjD27JZ84ywjSEP/1KpGzbJyhy72fqKTrPtJX56 4tFqGJuoHa+g4BRXL8+YsWeo4BcEdTgF9h+wfcsmsnBDfgSNg4TanGja3XDswWvX etGZeAXA8AQpvRPFceZUlgHAp1t8MfraxeetLM0zxzSyOSGP9ygolp2zcpcTDHWE pNHHLCw6KIJGVupndNjsLkGHfyX0hqPPV0gnYFeHCq1j0a7pg1tYBFdSGIM0zEAw bSkW8CEomiQtEkRrZqktzHFxhZ/vqq0B9NudyJBu8x4a2Lq5VC0OnxFwckZGPQoF dtU05+8kkTC4xFoZmzwbdl1FONnas9KMQ7gFW1OPAZ0lihSZr5QvQXQKP5jUdUQc 6pT0AQc+hjSmTpXz43IztUajZiX2244VwJLv9qlJ7tQKm+TH9cGmO8aJQiH7rl/l qM4t70VoWEgIJ67wAnL/NFe+mGIzNY429rao07efpYHeB+PmZo+vUkX8KCflLrtr J4EHcKYEOpx63Y+3C0qiCFjWL7D28NFyZyKU1r//n7dMTjTg0mfmN+M0XRoit79h xEEKMh/zbkVF7nEyNht34Pwe87j7Ju1Q20CZ59EsvNiA2fMzPMX6BXTCk8cCHkTy JRsEsQcqkzOfTeDz5ToghEWbgsNPNP+18XKjBMXjAf2K/U24FuptdJtyTgZaCZF/ 97qQcXtW5L8jwsODQgc8 =5j/N -----END PGP SIGNATURE----- --Apple-Mail=_E3789882-5FBA-4051-A556-8B90FD13C281--