Members

  • This project does not have any members.

Watchers

  • This project does not have any watchers.

Details

Description

This bug has an associated CVE id.

Such bugs often have restricted access before the publication. Take care that this bug tracker does not yet encrypt mails to subscribers, so for highly sensitive issues take care what you comment in the report while it is still restricted.

Recent Activity

Jun 14 2018

olf added a comment to T4016: Libgcrypt release 1.8.3.

Thanks.
So what I remembered was 1 year and 1 month off the real EOL date.

Jun 14 2018, 1:21 AM · Release Info, CVE, libgcrypt

Jun 13 2018

werner closed T4011: CVE-2018-0495 as Resolved.
Jun 13 2018, 6:33 PM · CVE, libgcrypt
werner added a comment to T4011: CVE-2018-0495.

Here is our announcement: https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html

Jun 13 2018, 6:32 PM · CVE, libgcrypt
werner added a comment to T4011: CVE-2018-0495.

https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/

Jun 13 2018, 5:40 PM · CVE, libgcrypt
gniibe added a comment to T4011: CVE-2018-0495.

Informed Debian security team about our change of libgcrypt.

Jun 13 2018, 1:02 PM · CVE, libgcrypt
werner changed the visibility for T4011: CVE-2018-0495.
Jun 13 2018, 12:40 PM · CVE, libgcrypt
werner added a comment to T4011: CVE-2018-0495.

A new installer for GnuPG with Libgcrypt 1.8.3 is now available.

Jun 13 2018, 12:38 PM · CVE, libgcrypt
werner added a comment to T4011: CVE-2018-0495.

Releases are now available. Next task is to build a new GnuPG Windows installer.

Jun 13 2018, 10:40 AM · CVE, libgcrypt
werner closed T4016: Libgcrypt release 1.8.3 as Resolved.

1.8.3 and 1.7.10 are now released. Announcement will follow later the day.

Jun 13 2018, 10:39 AM · Release Info, CVE, libgcrypt
werner closed T4016: Libgcrypt release 1.8.3, a subtask of T4011: CVE-2018-0495, as Resolved.
Jun 13 2018, 10:39 AM · CVE, libgcrypt
gniibe added a comment to T4011: CVE-2018-0495.

Pushed fixes to the repository at 16:00+0900 (09:00+0200). It's 0700Z.

Jun 13 2018, 9:05 AM · CVE, libgcrypt
gniibe added a comment to T4011: CVE-2018-0495.

In master, it's

commit 9010d1576e278a4274ad3f4aa15776c28f6ba965
Author: NIIBE Yutaka <gniibe@fsij.org>
Date:   Wed Jun 13 15:28:58 2018 +0900
Jun 13 2018, 8:59 AM · CVE, libgcrypt
werner updated the task description for T4016: Libgcrypt release 1.8.3.
Jun 13 2018, 8:07 AM · Release Info, CVE, libgcrypt
werner added a comment to T4016: Libgcrypt release 1.8.3.

1.8.3 has not yet been released and thus there is no NEWS entries and there can't be a 1.8.3 tag. You are right that the README still says 1.7. I'll fix that for 1.8.3. Why do you think maintenance of 1.7 stopped; the AUTHORS file and the new EOL statements on the download page say that we are going to maintain it until 2019-06-30.

Jun 13 2018, 8:06 AM · Release Info, CVE, libgcrypt

Jun 12 2018

werner updated subscribers of T4011: CVE-2018-0495.

Publication is planned for the 13th, 1500Z

Jun 12 2018, 1:12 PM · CVE, libgcrypt

Jun 11 2018

olf added a comment to T4016: Libgcrypt release 1.8.3.

I just noticed, that a tag for Libgcrypt 1.8.3 seems to be missing: https://dev.gnupg.org/source/libgcrypt/tags/LIBGCRYPT-1.8-BRANCH/

Jun 11 2018, 11:36 PM · Release Info, CVE, libgcrypt
werner closed T4012: Diagnostic is shown with the original filename not being sanitized. as Resolved.
Jun 11 2018, 11:23 AM · gnupg, CVE, Bug Report
werner renamed T4012: Diagnostic is shown with the original filename not being sanitized. from Diagnostic is shown with the original filename not beeing sanitized. to Diagnostic is shown with the original filename not being sanitized..
Jun 11 2018, 11:23 AM · gnupg, CVE, Bug Report
werner closed T4015: Release 1.4.23, a subtask of T4012: Diagnostic is shown with the original filename not being sanitized., as Resolved.
Jun 11 2018, 11:23 AM · gnupg, CVE, Bug Report
werner closed T4015: Release 1.4.23 as Resolved.
Jun 11 2018, 11:23 AM · Release Info, gnupg (gpg14), CVE
werner added a project to T4015: Release 1.4.23: Release Info.
Jun 11 2018, 9:59 AM · Release Info, gnupg (gpg14), CVE
werner added a project to T4016: Libgcrypt release 1.8.3: Release Info.
Jun 11 2018, 9:58 AM · Release Info, CVE, libgcrypt
werner changed the edit policy for T4016: Libgcrypt release 1.8.3.
Jun 11 2018, 9:55 AM · Release Info, CVE, libgcrypt
werner created T4015: Release 1.4.23.
Jun 11 2018, 9:52 AM · Release Info, gnupg (gpg14), CVE
werner renamed T4012: Diagnostic is shown with the original filename not being sanitized. from Diagnostic with original filename is not sanitized. to Diagnostic is shown with the original filename not beeing sanitized..
Jun 11 2018, 9:50 AM · gnupg, CVE, Bug Report

Jun 9 2018

werner removed a project from T4012: Diagnostic is shown with the original filename not being sanitized.: backport.
Jun 9 2018, 11:46 AM · gnupg, CVE, Bug Report
werner added a project to T4012: Diagnostic is shown with the original filename not being sanitized.: backport.
Jun 9 2018, 11:46 AM · gnupg, CVE, Bug Report
werner lowered the priority of T4012: Diagnostic is shown with the original filename not being sanitized. from Unbreak Now! to High.
Jun 9 2018, 11:45 AM · gnupg, CVE, Bug Report

Jun 8 2018

werner added a comment to T4012: Diagnostic is shown with the original filename not being sanitized..

Unfortunately 2.2.8 does not build with older libgpg-error versions. Commit rG18274db32b5dea7fe8db67043a787578c975de4d should fix this.

Jun 8 2018, 10:11 PM · gnupg, CVE, Bug Report
werner added a comment to T4012: Diagnostic is shown with the original filename not being sanitized..

2.2.8. with a fix has been released. Announcement

Jun 8 2018, 3:54 PM · gnupg, CVE, Bug Report
werner edited projects for T4012: Diagnostic is shown with the original filename not being sanitized., added: gnupg; removed gnupg (gpg14).

[Better use the gnupg tag. Specific versions end up on the workboard and there may only be one.]

Jun 8 2018, 12:10 PM · gnupg, CVE, Bug Report
werner edited projects for T4012: Diagnostic is shown with the original filename not being sanitized., added: CVE, gnupg (gpg14); removed gnupg (gpg22).

@dkg can you please take this up with Debian and other distros? See the commit for a brief description.

Jun 8 2018, 11:12 AM · gnupg, CVE, Bug Report
werner edited Description on CVE.
Jun 8 2018, 10:18 AM
werner added a project to T4011: CVE-2018-0495: CVE.
Jun 8 2018, 10:15 AM · CVE, libgcrypt
werner changed the edit policy for CVE.
Jun 8 2018, 10:15 AM