Re: Maintainer for gnupg (and related) packages not responding – CVE unfixed
> On St, 2016-07-20 at 15:32 +, Christian Stadelmann wrote: > > Unfortunately libgcrypt-1.7 branch adds algorithms that are potentially > patent encumbered and I did not obtain response from legal yet. So > that's the reason why I did not move to 1.7 branch yet. Ok, so it isn't unmaintained. That's good news. From having no answers to those bug reports I assumed nobody would care. Looks like I'm wrong. > As for the CVE - is actually libgcrypt used for ECDH anywhere in > Fedora? If you provide backport of the fix to 1.6 branch I'll happily > apply it. How about updating to 1.6.5, which is just the CVE fix + a build fix? It doesn't include any new algorithms at all, so there is no need to fear patents. Adding a note to the libgcrypt bug would be useful. > > This is not only bad behavior of the maintainer, it also is a bad > > sign on how security critical updates are handled in Fedora. Those > > two packages are effectively unmaintained although all of Fedora's > > security is based on them. This is a pretty ugly situation which > > needs your attention and (probably) some action. > Really? Luckily, it isn't as bad as it looked to me. Sorry for the harsh tone. From seeing no reactions to any of these bugs I concluded that nobody was caring. > If that was not a very low impact CVE I'd be willing to spend more time on > backporting the patch however it isn't. Still, it is a CVE. And there is no need to backport it, just update libgcrypt to 1.6.5. -- security mailing list security@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/security@lists.fedoraproject.org
Re: Maintainer for gnupg (and related) packages not responding – CVE unfixed
On St, 2016-07-20 at 15:32 +, Christian Stadelmann wrote: > Hi > > I'm writing here since there are many known bugs (mostly fixed > upstream), including at least one CVE in a bunch of packages critical > to Fedora's integrity. > > Libgcrypt: > Version 1.7.2 is available: https://bugzilla.redhat.com/show_bug.cgi? > id=1306064 (note that 3 updates were missed) > CVE-2015-7511 libgcrypt: side-channel attack on ECDH with Weierstrass > curves [fedora-all]: https://bugzilla.redhat.com/show_bug.cgi?id=1306 > 185 Unfortunately libgcrypt-1.7 branch adds algorithms that are potentially patent encumbered and I did not obtain response from legal yet. So that's the reason why I did not move to 1.7 branch yet. As for the CVE - is actually libgcrypt used for ECDH anywhere in Fedora? If you provide backport of the fix to 1.6 branch I'll happily apply it. > gnupg2: > gnupg2 hasn't seen an update in 2 months (3 versions) to Fedora > stable. According to this automatically created bug report https://bu > gzilla.redhat.com/show_bug.cgi?id=1230986 the maintainer has not > managed to ship the latest version in >1 year. I've built gnupg-2.1.13 just recently in Rawhide and was planning to do updates for released Fedoras but then upstream released a new version. I plan to update Rawhide to it by this week and do updates for released Fedoras in early August. > This is not only bad behavior of the maintainer, it also is a bad > sign on how security critical updates are handled in Fedora. Those > two packages are effectively unmaintained although all of Fedora's > security is based on them. This is a pretty ugly situation which > needs your attention and (probably) some action. Really? > The second bug report against libgcrypt has an CVE assigned and still > it is unfixed for months. This must not happen too. There should be > some mechanism to notify somebody if a maintainer doesn't act on CVEs > within 3 days. If that was not a very low impact CVE I'd be willing to spend more time on backporting the patch however it isn't. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) -- security mailing list security@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/security@lists.fedoraproject.org