[Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526

Bernhard Reiter bernhard at intevation.de
Wed Jul 5 16:13:02 CEST 2017


Am Dienstag 04 Juli 2017 18:30:28 schrieb Werner Koch:
> On Tue,  4 Jul 2017 12:05, johanw at vulcan.xs4all.nl said:
> > Is 1.4 vulnerable to this attack as well? I know it ows not use
> > libgcrypt but I'm not sure about the vulnerability.
>
> Maybe.  And probably also to a lot of other local side channel attacks.

In general I think it would be useful to have information available that 
shows which versions of GnuPG and libgcrypt are exposed to this or other 
weaknesses and what the consequences are.

People now know which that there are versions
with this vulnerability and without it.

My concept so far:
not vulnerable:
  libgcrypt 1.7.8
  libgcrypt 1.8 -beta since commit
    Thu, 29 Jun 2017 04:11:37 +0200 (11:11 +0900)
    8725c99ffa41778f382ca97233183bcd687bb0ce

vulnerable 
  libgcrypt v<=?
  GnuPG v1.?

Best regards,
Bernhard
-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20170705/a43f835e/attachment-0001.sig>


More information about the Gnupg-users mailing list