GNU bug report logs - #46183
[PATCH 0/1] Update gcrypt [URGENT SECURITY ISSUE]

Previous Next

Full log

View this message in rfc822 format

From: Guillaume Le Vaillant <glv <at> posteo.net>
To: Tobias Geerinckx-Rice <me <at> tobias.gr>
Cc: Ryan Prior <rprior <at> protonmail.com>, 46183 <at> debbugs.gnu.org
Subject: [bug#46183] [PATCH 1/1] gnu: libgcrypt: Update to 1.9.1.
Date: Sat, 30 Jan 2021 09:39:16 +0100

[Message part 1 (text/plain, inline)]

guix-patches--- via <guix-patches <at> gnu.org> skribis:

> Ryan,
>
> guix-patches--- via 写道：
>> * gnu/packages/gnupg.scm (libcrypt): Update to 1.9.1.
>
> Thanks.
>
>> -    (version "1.8.5")
>> +    (version "1.9.1")
>
> libgcrypt has 12119(!) dependent packages.  Can we use a graft here?  This
> nongrafted version can then go to core-updates.
>
> Grafting means we keep these packages built against 1.8.5 and force-feed them
> 1.9.1 instead, which might not work reliably across minor versions but needs to
> be tried before rebuilding the world.
>
> Kind regards,
>
> T G-R

According to the news at https://gnupg.org:

--8<---------------cut here---------------start------------->8---
Libgcrypt 1.9.1 released (2021-01-29)   important

Unfortunately we introduced a severe bug in Libgcrypt 1.9.0 released 10 days ago.
If you already started to use version 1.9.0 please update immediately to 1.9.1.
--8<---------------cut here---------------end--------------->8---

Currently the master and staging branch are using libgcrypt 1.8.5 and
core-updates is using 1.8.7. These versions don't have the critical bug
as it was introduced in version 1.9.0. So I think updating libgcrypt on
master is not an emergency, we just have to remember to never use
version 1.9.0.

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.