Hi Chris, GnuPG maintainers, GnuTLS maintainers and LTS team I have now prepared an updated libgcrypt11 package. I have simply taken the two patches from libgcrypt20 and applied them to libgcrypt11. They applied cleanly with just a little "fuzz".
The debdiff is available here: http://apt.inguza.net/wheezy-security/libgcrypt11/libgcrypt11.debdiff And the prepared packages are available here: http://apt.inguza.net/wheezy-security/libgcrypt11/ I have not tried to reproduce the problem reported as I'm not an expert in cryptography mathematics. And especially not random generators. If anyone knows of a tool to reproduce the random generation problem I'm eager to know. Regarding regression testing I have installed the built package and tried a few tools that depend on libgcrypt11. However I'm not sure I trigger this function in some way. If anyone know of a good way to do regression testing of libgcrypt11 I'm eager to know that too. As this is such a critical function (as Chris clearly pointed out) I'd like as many as possible to have a look at what I have done. If I do not hear any objections in four days I'll upload the correction. That is on Monday next week. Thanks in advance and best regards // Ola On Thu, Aug 18, 2016 at 11:26 AM, Chris Lamb <[email protected]> wrote: > [Adding Ola Lundqvist <[email protected]> to CC] > >> the Debian LTS team would like to fix the security issues which are >> currently open in the Wheezy version of libgcrypt11: >> https://security-tracker.debian.org/tracker/CVE-2016-6313 > > Ola, I notice that you have claimed this package in data/dla-needed.txt. > > As this is an especially sensitive package, it would seem prudent to > get as many eyes on your debdiffs prior to upload, either from the GnuPG > maintainers and/or on the debian-lts list. > > > Regards, > > -- > ,''`. > : :' : Chris Lamb > `. `'` [email protected] / chris-lamb.co.uk > `- -- --- Inguza Technology AB --- MSc in Information Technology ---- / [email protected] Folkebogatan 26 \ | [email protected] 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
