On St, 2016-07-20 at 15:32 +0000, Christian Stadelmann wrote:
Unfortunately libgcrypt-1.7 branch adds algorithms that are potentially
patent encumbered and I did not obtain response from legal yet. So
that's the reason why I did not move to 1.7 branch yet.
Ok, so it isn't unmaintained. That's good news. From having no answers to those
bug reports I assumed nobody would care. Looks like I'm wrong.
As for the CVE - is actually libgcrypt used for ECDH anywhere in
Fedora? If you provide backport of the fix to 1.6 branch I'll happily
apply it.
How about updating to 1.6.5, which is just the CVE fix + a build fix? It doesn't
include any new algorithms at all, so there is no need to fear patents.
Adding a note to the libgcrypt bug would be useful.
> This is not only bad behavior of the maintainer, it also is a
bad
> sign on how security critical updates are handled in Fedora. Those
> two packages are effectively unmaintained although all of Fedora's
> security is based on them. This is a pretty ugly situation which
> needs your attention and (probably) some action.
Really?
Luckily, it isn't as bad as it looked to me. Sorry for the harsh tone. From seeing no
reactions to any of these bugs I concluded that nobody was caring.
If that was not a very low impact CVE I'd be willing to spend
more time on backporting the patch however it isn't.
Still, it is a CVE. And there is no need to backport it, just update libgcrypt to 1.6.5.