Update libgcrypt to 1.8.3 to address CVE-2018-0495

Description

pkg audit -F on FreeNAS 11.2-U4 reports:

libgcrypt-1.8.2 is vulnerable:
libgcrypt – side-channel attack vulnerability
CVE: CVE-2018-0495
WWW: https://vuxml.FreeBSD.org/freebsd/9b5162de-6f39-11e8-818e-e8e0b747a45a.html

gnupg-2.2.6 is vulnerable:
gnupg – unsanitized output (CVE-2018-12020)
CVE: CVE-2017-7526
CVE: CVE-2018-12020
WWW: https://vuxml.FreeBSD.org/freebsd/7da0417f-6b24-11e8-84cc-002590acae31.html

Not sure if these are easily exploitable in FreeNAS, but it would be comforting to have them fixed.

Problem/Justification

None

Impact

None

SmartDraw Connector

Katalon Manual Tests (BETA)

Activity

William Gryzbowski
June 26, 2019 at 3:17 PM

gnupg is does not seem to be exploitable for FreeNAS

Sean McBride
June 26, 2019 at 3:09 PM

Just updated to 11.2-U5: Looks like you fixed libgcrypt but not gnupg.

Do you prefer to reopen this or shall I create a new ticket?

Dru Lavigne
June 24, 2019 at 2:02 PM
(edited)

new UI doc commit: https://github.com/freenas/freenas-docs/commit/78138ce3be3bce0d7483475f9dab14a963b842d3

legacy UI doc commit: https://github.com/freenas/freenas-docs/commit/dbda2d54c0caed4a6d60868600a1aa723ce29459

Bug Clerk
May 29, 2019 at 7:18 PM

11.2 PR: https://github.com/freenas/ports/pull/342

Alexander Motin
May 19, 2019 at 8:13 PM

gnupg we are not using in any important service, so I would not care. Local side-channel attack of libgcrypt does not look critical, but we may look on how complicated update is.

Resize issue view side panel

Complete

Details

Assignee

William Gryzbowski

Reporter

Sean McBride

Labels

Components

Fix versions

11.2-U5

Affects versions

11.2-U4

Priority

Low

Parent

NAS-102406 Updated Software

More fields

Katalon Platform

Created May 8, 2019 at 6:43 PM

Updated July 1, 2022 at 4:31 PM

Resolved June 24, 2019 at 2:05 PM