* [Buildroot] [PATCH] gnupg: security bump to version 1.4.22
@ 2017-08-30 12:01 Baruch Siach
2017-08-30 20:07 ` Thomas Petazzoni
2017-09-06 11:25 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Baruch Siach @ 2017-08-30 12:01 UTC (permalink / raw)
To: buildroot
Mitigate a flush+reload side-channel attack on RSA secret keys
dubbed "Sliding right into disaster". For details see
<https://eprint.iacr.org/2017/627>. [CVE-2017-7526]
Switch to https site for better firewall compatibility and security.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
package/gnupg/gnupg.hash | 7 +++----
package/gnupg/gnupg.mk | 4 ++--
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/package/gnupg/gnupg.hash b/package/gnupg/gnupg.hash
index 8968b00d2b16..abd76cde9c5e 100644
--- a/package/gnupg/gnupg.hash
+++ b/package/gnupg/gnupg.hash
@@ -1,4 +1,3 @@
-# From https://lists.gnu.org/archive/html/info-gnu/2016-08/msg00008.html
-sha1 e3bdb585026f752ae91360f45c28e76e4a15d338 gnupg-1.4.21.tar.bz2
-# Locally computed
-sha256 6b47a3100c857dcab3c60e6152e56a997f2c7862c1b8b2b25adf3884a1ae2276 gnupg-1.4.21.tar.bz2
+# Locally computed based on signature
+# https://gnupg.org/ftp/gcrypt/gnupg/gnupg-1.4.22.tar.bz2.sig
+sha256 9594a24bec63a21568424242e3f198b9d9828dea5ff0c335e47b06f835f930b4 gnupg-1.4.22.tar.bz2
diff --git a/package/gnupg/gnupg.mk b/package/gnupg/gnupg.mk
index b3578b87df99..0ed3e1e063fe 100644
--- a/package/gnupg/gnupg.mk
+++ b/package/gnupg/gnupg.mk
@@ -4,9 +4,9 @@
#
################################################################################
-GNUPG_VERSION = 1.4.21
+GNUPG_VERSION = 1.4.22
GNUPG_SOURCE = gnupg-$(GNUPG_VERSION).tar.bz2
-GNUPG_SITE = ftp://ftp.gnupg.org/gcrypt/gnupg
+GNUPG_SITE = https://gnupg.org/ftp/gcrypt/gnupg
GNUPG_LICENSE = GPL-3.0+
GNUPG_LICENSE_FILES = COPYING
GNUPG_DEPENDENCIES = zlib ncurses $(if $(BR2_PACKAGE_LIBICONV),libiconv)
--
2.14.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] gnupg: security bump to version 1.4.22
2017-08-30 12:01 [Buildroot] [PATCH] gnupg: security bump to version 1.4.22 Baruch Siach
@ 2017-08-30 20:07 ` Thomas Petazzoni
2017-09-06 11:25 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni @ 2017-08-30 20:07 UTC (permalink / raw)
To: buildroot
Hello,
On Wed, 30 Aug 2017 15:01:04 +0300, Baruch Siach wrote:
> Mitigate a flush+reload side-channel attack on RSA secret keys
> dubbed "Sliding right into disaster". For details see
> <https://eprint.iacr.org/2017/627>. [CVE-2017-7526]
>
> Switch to https site for better firewall compatibility and security.
>
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
> ---
> package/gnupg/gnupg.hash | 7 +++----
> package/gnupg/gnupg.mk | 4 ++--
> 2 files changed, 5 insertions(+), 6 deletions(-)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] gnupg: security bump to version 1.4.22
2017-08-30 12:01 [Buildroot] [PATCH] gnupg: security bump to version 1.4.22 Baruch Siach
2017-08-30 20:07 ` Thomas Petazzoni
@ 2017-09-06 11:25 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2017-09-06 11:25 UTC (permalink / raw)
To: buildroot
>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
> Mitigate a flush+reload side-channel attack on RSA secret keys
> dubbed "Sliding right into disaster". For details see
> <https://eprint.iacr.org/2017/627>. [CVE-2017-7526]
> Switch to https site for better firewall compatibility and security.
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Committed to 2017.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-09-06 11:25 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-08-30 12:01 [Buildroot] [PATCH] gnupg: security bump to version 1.4.22 Baruch Siach
2017-08-30 20:07 ` Thomas Petazzoni
2017-09-06 11:25 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox