* [Buildroot] [git commit branch/2017.02.x] gnupg: security bump to version 1.4.22
@ 2017-09-06 11:25 Peter Korsgaard
0 siblings, 0 replies; only message in thread
From: Peter Korsgaard @ 2017-09-06 11:25 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=1519ba33f5f85f4e5e49ec8318886468b8ca788f
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2017.02.x
Mitigate a flush+reload side-channel attack on RSA secret keys
dubbed "Sliding right into disaster". For details see
<https://eprint.iacr.org/2017/627>. [CVE-2017-7526]
Switch to https site for better firewall compatibility and security.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 453ca1d6ad6aa3d55f44734ed8479ac5fa909d8a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/gnupg/gnupg.hash | 7 +++----
package/gnupg/gnupg.mk | 4 ++--
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/package/gnupg/gnupg.hash b/package/gnupg/gnupg.hash
index 8968b00..abd76cd 100644
--- a/package/gnupg/gnupg.hash
+++ b/package/gnupg/gnupg.hash
@@ -1,4 +1,3 @@
-# From https://lists.gnu.org/archive/html/info-gnu/2016-08/msg00008.html
-sha1 e3bdb585026f752ae91360f45c28e76e4a15d338 gnupg-1.4.21.tar.bz2
-# Locally computed
-sha256 6b47a3100c857dcab3c60e6152e56a997f2c7862c1b8b2b25adf3884a1ae2276 gnupg-1.4.21.tar.bz2
+# Locally computed based on signature
+# https://gnupg.org/ftp/gcrypt/gnupg/gnupg-1.4.22.tar.bz2.sig
+sha256 9594a24bec63a21568424242e3f198b9d9828dea5ff0c335e47b06f835f930b4 gnupg-1.4.22.tar.bz2
diff --git a/package/gnupg/gnupg.mk b/package/gnupg/gnupg.mk
index 182abd6..29c4666 100644
--- a/package/gnupg/gnupg.mk
+++ b/package/gnupg/gnupg.mk
@@ -4,9 +4,9 @@
#
################################################################################
-GNUPG_VERSION = 1.4.21
+GNUPG_VERSION = 1.4.22
GNUPG_SOURCE = gnupg-$(GNUPG_VERSION).tar.bz2
-GNUPG_SITE = ftp://ftp.gnupg.org/gcrypt/gnupg
+GNUPG_SITE = https://gnupg.org/ftp/gcrypt/gnupg
GNUPG_LICENSE = GPLv3+
GNUPG_LICENSE_FILES = COPYING
GNUPG_DEPENDENCIES = zlib ncurses $(if $(BR2_PACKAGE_LIBICONV),libiconv)
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2017-09-06 11:25 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-06 11:25 [Buildroot] [git commit branch/2017.02.x] gnupg: security bump to version 1.4.22 Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.