[Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526

Peter Lebbing peter at digitalbrains.com
Tue Jul 4 21:37:05 CEST 2017

On 04/07/17 21:03, Johan Wevers wrote:
> Is that going to be fixed, or is 1.4 now really considered EOL?

I think you need to see it in the context of this part of the announcement:

> Allowing execute access to a box with private keys should be considered
> as a game over condition, anyway.  Thus in practice there are easier
> ways to access the private keys than to mount this side-channel attack.

If you're worried about cross-VM crypto attacks, perhaps host your essential
crypto on a box that doesn't host potentially hostile VM's. Security has its
cost, or: there's no such thing as a free lunch.


I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170704/5e02dec7/attachment.sig>

More information about the Gnupg-users mailing list