-
libgcrypt20 (1.8.1-4ubuntu1.3) bionic-security; urgency=medium
* SECURITY UPDATE: lack of exponent blinding in ElGamal encryption
- debian/patches/CVE-2021-33560.patch: harden ElGamal by introducing
exponent blinding too in cipher/elgamal.c.
- CVE-2021-33560
* SECURITY UPDATE: incorrect support of smaller K
- debian/patches/CVE-2021-40528.patch: fix ElGamal encryption for other
implementations in cipher/elgamal.c.
- CVE-2021-40528
-- Marc Deslauriers <email address hidden> Tue, 14 Sep 2021 14:36:59 -0400
-
libgcrypt20 (1.8.1-4ubuntu1.2) bionic-security; urgency=medium
* SECURITY UPDATE: ECDSA timing attack
- debian/patches/CVE-2019-13627-1.patch: add mitigation against timing
attack in cipher/ecc-ecdsa.c, mpi/ec.c.
- debian/patches/CVE-2019-13627-2.patch: fix use of nonce, use larger
one in cipher/dsa-common.c, cipher/dsa.c, cipher/ecc-ecdsa.c,
cipher/ecc-gost.c, cipher/pubkey-internal.h.
- CVE-2019-13627
-- Marc Deslauriers <email address hidden> Thu, 28 Nov 2019 13:53:53 -0500
-
libgcrypt20 (1.8.1-4ubuntu1.1) bionic-security; urgency=medium
* SECURITY UPDATE: memory-cache side-channel attack on ECDSA signatures
- debian/patches/CVE-2018-0495.patch: add blinding for ECDSA in
cipher/ecc-ecdsa.c.
- CVE-2018-0495
-- Marc Deslauriers <email address hidden> Mon, 18 Jun 2018 09:28:30 -0400
-
libgcrypt20 (1.8.1-4ubuntu1) bionic; urgency=medium
* Disable the library reading /proc/sys/crypto/fips_enabled file
and going into FIPS mode. libgcrypt is not a FIPS certified library.
(LP: #1748310)
- debian/patches/disable_fips_enabled_read.patch
-- Vineetha Pai <email address hidden> Fri, 16 Feb 2018 13:45:04 -0500
-
libgcrypt20 (1.8.1-4) unstable; urgency=low
* Upload to unstable.
-- Andreas Metzler <email address hidden> Wed, 15 Nov 2017 18:52:21 +0100
-
libgcrypt20 (1.7.9-2) unstable; urgency=medium
* Sync debian/copyright with upstream's LICENSES file, adding the OCB
license 1. Closes: #879984
* [lintian] Drop trailing whitespace in control and changelog.
* [lintian] Sync priorities with override file (extra -> optional).
* [lintian] Fix typo in copyright file.
-- Andreas Metzler <email address hidden> Sat, 04 Nov 2017 16:37:16 +0100
-
libgcrypt20 (1.7.9-1) unstable; urgency=high
* New upstream version, mitigates a local side-channel attack on Curve25519
dubbed "May the Fourth be With You". [CVE-2017-0379] Closes: #873383
+ Drop 30_mpi-Fix-mpi_set_secure.patch
-- Andreas Metzler <email address hidden> Sun, 27 Aug 2017 11:56:17 +0200
-
libgcrypt20 (1.7.8-2ubuntu1) artful; urgency=medium
* SECURITY UPDATE: Curve25519 side-channel attack
- debian/patches/CVE-2017-0379.patch: add input validation for X25519
to cipher/ecc.c, mpi/ec.c, src/mpi.h.
- CVE-2017-0379
-- Marc Deslauriers <email address hidden> Thu, 14 Sep 2017 07:14:32 -0400