On St, 2016-07-20 at 16:42 +0000, Christian Stadelmann wrote: > > > > On St, 2016-07-20 at 15:32 +0000, Christian Stadelmann wrote: > > > > Unfortunately libgcrypt-1.7 branch adds algorithms that are > > potentially > > patent encumbered and I did not obtain response from legal yet. So > > that's the reason why I did not move to 1.7 branch yet. > Ok, so it isn't unmaintained. That's good news. From having no > answers to those bug reports I assumed nobody would care. Looks like > I'm wrong. > > > > > As for the CVE - is actually libgcrypt used for ECDH anywhere in > > Fedora? If you provide backport of the fix to 1.6 branch I'll > > happily > > apply it. > How about updating to 1.6.5, which is just the CVE fix + a build fix? > It doesn't include any new algorithms at all, so there is no need to > fear patents. > Adding a note to the libgcrypt bug would be useful. I will update libgcrypt to 1.6.5. > > > > > > > > This is not only bad behavior of the maintainer, it also is a bad > > > sign on how security critical updates are handled in Fedora. > > > Those > > > two packages are effectively unmaintained although all of > > > Fedora's > > > security is based on them. This is a pretty ugly situation which > > > needs your attention and (probably) some action. > > Really? > Luckily, it isn't as bad as it looked to me. Sorry for the harsh > tone. From seeing no reactions to any of these bugs I concluded that > nobody was caring. > > > > > If that was not a very low impact CVE I'd be willing to spend more > > time on backporting the patch however it isn't. > Still, it is a CVE. And there is no need to backport it, just update > libgcrypt to 1.6.5. For some reason I did not notice the release of 1.6.5. I am sorry for that. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/security@xxxxxxxxxxxxxxxxxxxxxxx