Re: Maintainer for gnupg (and related) packages not responding – CVE unfixed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On St, 2016-07-20 at 16:42 +0000, Christian Stadelmann wrote:
> > 
> > On St, 2016-07-20 at 15:32 +0000, Christian Stadelmann wrote:
> > 
> > Unfortunately libgcrypt-1.7 branch adds algorithms that are
> > potentially
> > patent encumbered and I did not obtain response from legal yet. So
> > that's the reason why I did not move to 1.7 branch yet.
> Ok, so it isn't unmaintained. That's good news. From having no
> answers to those bug reports I assumed nobody would care. Looks like
> I'm wrong.
> 
> > 
> > As for the CVE - is actually libgcrypt used for ECDH anywhere in
> > Fedora? If you provide backport of the fix to 1.6 branch I'll
> > happily
> > apply it.
> How about updating to 1.6.5, which is just the CVE fix + a build fix?
> It doesn't include any new algorithms at all, so there is no need to
> fear patents.
> Adding a note to the libgcrypt bug would be useful.

I will update libgcrypt to 1.6.5.

> > 
> > > 
> > > This is not only bad behavior of the maintainer, it also is a bad
> > > sign on how security critical updates are handled in Fedora.
> > > Those
> > > two packages are effectively unmaintained although all of
> > > Fedora's
> > > security is based on them.  This is a pretty ugly situation which
> > > needs your attention and (probably) some action. 
> > Really?
> Luckily, it isn't as bad as it looked to me. Sorry for the harsh
> tone. From seeing no reactions to any of these bugs I concluded that
> nobody was caring.
> 
> > 
> >  If that was not a very low impact CVE I'd be willing to spend more
> > time on backporting the patch however it isn't.
> Still, it is a CVE. And there is no need to backport it, just update
> libgcrypt to 1.6.5.

For some reason I did not notice the release of 1.6.5. I am sorry for
that.

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)


--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/security@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux