Your message dated Fri, 13 Mar 2015 22:02:04 +0000
with message-id <[email protected]>
and subject line Bug#778652: fixed in gnupg 1.4.12-7+deb7u7
has caused the Debian Bug report #778652,
regarding CVE-2015-1606 CVE-2015-1607 -- multiple issues found in GnuPG
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
778652: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778652
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gnupg2
Version: 2.0.14-2
Tags: security
Control: notfound -1 2.1.2-1
Several coding errors were discovered in GnuPG 2.0 lately by Hanno Böck
as part of the Fuzzing Project:
https://blog.fuzzing-project.org/5-Multiple-issues-in-GnuPG-found-through-keyring-fuzzing-TFPA-0012015.html
These changes are in upstream git, but have not been rolled into an
official release yet, except for 2.1.2 on the upstream "modern" branch.
I believe they go back as far as the version in squeeze, possibly
farther.
--dkg
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: gnupg
Source-Version: 1.4.12-7+deb7u7
We believe that the bug you reported is fixed in the latest version of
gnupg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alessandro Ghedini <[email protected]> (supplier of updated gnupg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 04 Mar 2015 18:46:34 +0100
Source: gnupg
Binary: gnupg gnupg-curl gpgv gnupg-udeb gpgv-udeb gpgv-win32
Architecture: source all amd64
Version: 1.4.12-7+deb7u7
Distribution: wheezy-security
Urgency: high
Maintainer: Debian GnuPG-Maintainers <[email protected]>
Changed-By: Alessandro Ghedini <[email protected]>
Description:
gnupg - GNU privacy guard - a free PGP replacement
gnupg-curl - GNU privacy guard - a free PGP replacement (cURL)
gnupg-udeb - GNU privacy guard - a free PGP replacement (udeb)
gpgv - GNU privacy guard - signature verification tool
gpgv-udeb - minimal signature verification tool (udeb)
gpgv-win32 - GNU privacy guard - signature verification tool (win32 build)
Closes: 778652
Changes:
gnupg (1.4.12-7+deb7u7) wheezy-security; urgency=high
.
* Use ciphertext blinding for Elgamal decryption to counteract a
side-channel attack as per CVE-2014-3591
* Fix data-dependent timing variations in the modular exponentiation
function that could be used to mount a side-channel attack as per
CVE-2015-0837
* Fix a use-after-free when importing a garbled keyring file
as per CVE-2015-1606 (Closes: #778652)
Checksums-Sha1:
d3ef8848a37897e81bee18af4da865ca4b6e9168 2322 gnupg_1.4.12-7+deb7u7.dsc
e21c7139d23201b004f7b259968d45f0eca37f33 120475
gnupg_1.4.12-7+deb7u7.debian.tar.gz
df8a0ef18df0fb86167128ac6c31d6709c2f9c6b 617064
gpgv-win32_1.4.12-7+deb7u7_all.deb
c03f15e5ee0fba0b77a51e063db87708aee0e422 1956126
gnupg_1.4.12-7+deb7u7_amd64.deb
bc5c60462be7702988e083cf68c7f8edfcb962a5 64308
gnupg-curl_1.4.12-7+deb7u7_amd64.deb
8dae53bc42d1f35054ce35124da8b92f6097f1c2 228244 gpgv_1.4.12-7+deb7u7_amd64.deb
dbe121bae44db6eb6108311f41997c4ede1178b2 354018
gnupg-udeb_1.4.12-7+deb7u7_amd64.udeb
5d32171182e956f8277d44378b1623bbeae23110 130734
gpgv-udeb_1.4.12-7+deb7u7_amd64.udeb
Checksums-Sha256:
edf571e8ebcdb13404c347d5e51041814eb3d1b1b1d9d02e4b18e84b1c90f831 2322
gnupg_1.4.12-7+deb7u7.dsc
0f9b3f60f6f3d3925f30cef59bdee2fdf3e06930cd00b396f4338b14aee0aa82 120475
gnupg_1.4.12-7+deb7u7.debian.tar.gz
27760f636f6dbfe387dfbede1131fe7a0dd5fd3b0ab562213193ffa7cfcadfb5 617064
gpgv-win32_1.4.12-7+deb7u7_all.deb
2920249908a8297f85006def6a55fb99abfcc8466cac2b9f28d01ce8315df065 1956126
gnupg_1.4.12-7+deb7u7_amd64.deb
b626c3320c0ba2c41c5214bf8175c713f3713cc393e9361a977dc0202c197875 64308
gnupg-curl_1.4.12-7+deb7u7_amd64.deb
8361f45f51a7e70e3367e5b2df59fa8defc8648a76afa4159da3f249460f5b33 228244
gpgv_1.4.12-7+deb7u7_amd64.deb
dd7230f9d025c47e8c94e4101e2970e94aed50ec0c65801f9c7cd0a03d6723e1 354018
gnupg-udeb_1.4.12-7+deb7u7_amd64.udeb
4abcb1191d8a3e58d88fb56084f9d784255ba68c767babc3c2819b7a1a689b78 130734
gpgv-udeb_1.4.12-7+deb7u7_amd64.udeb
Files:
6bcf197234014e47eaef8fde4c1f1353 2322 utils important gnupg_1.4.12-7+deb7u7.dsc
253640158f60258ba671108df2dd5382 120475 utils important
gnupg_1.4.12-7+deb7u7.debian.tar.gz
5f15f3ac2f586b95ab21c3f83fd1bf35 617064 utils extra
gpgv-win32_1.4.12-7+deb7u7_all.deb
17916456c6e84c434205bad15e98e902 1956126 utils important
gnupg_1.4.12-7+deb7u7_amd64.deb
56699ccfefc9bb6c39325d746363c018 64308 utils optional
gnupg-curl_1.4.12-7+deb7u7_amd64.deb
91a07e1a42703f0ce59c4a1de60e961d 228244 utils important
gpgv_1.4.12-7+deb7u7_amd64.deb
6d90567115ee873d4ce6c87991cfaed0 354018 debian-installer extra
gnupg-udeb_1.4.12-7+deb7u7_amd64.udeb
2fda838d1101cc202ddd087c8c98b635 130734 debian-installer extra
gpgv-udeb_1.4.12-7+deb7u7_amd64.udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJU/HuHAAoJEK+lG9bN5XPLOxoP/Rfm9JTDRxXpxx92UITduloK
WV1o8/Ad4RbaHoerUETjoWKqIRZ+8nrHNXWQIH1Wrl9eYlnf86fjUY0j+A6p5juR
GbFSwolFk8TA1+r8kTQVzWhIrtY3gnO3OA2F/rflwojZYmXtRj7TBaI/D1VBXkjx
nxg20X7r/mo8EmT1ccRGlDhqxFleL+dqnBOzesSqdaDXvgkSrvyibfX0cSznzrDq
81m687pbuGbFUfQ1xz9pNOU7JqDY5aFPgbDI9+WZsxu78suooNZ73LMssOXio5NZ
7xIU+P8Ngnf6icIccSRl/jT8SRtcroNnPgfm6Eqn1IqXu0j5V5QIrmE6elL1TzYC
oHrduQvfsonpSWPB8Wr0UaOc2LS6ETk+aWhNxNXxrzoawsIaTvE6FQk50MnHn+mZ
OTnmbkhi/0yLxusDOhaq3rOm96qqqLr/Xvkxy82musuxmjRo3y2k1/TycHmpj/pD
V34FGuruj6Z1EF5+m1ct+5jlOEud6Ds6ZsgbEUALPJUMA1EvgBqtMQqe6CsGpZmF
xaR9VR0fL8eTTMHaIJl7N0vWaYNJWHjAHrF+UN4js1TPjBMYOAIJ256Lr2J097x9
CuWC+1KGbKeS+X1AhilUgE69Q2hi7bN0LxrtgGrp1BH7aEDp6FtxEWYj+jGnOfwa
fcJbDt+0XzmfN5tVUVUs
=QvA8
-----END PGP SIGNATURE-----
--- End Message ---