[rpms/perl-Crypt-DSA] f43: Update to 1.21

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

* [rpms/perl-Crypt-DSA] f43: Update to 1.21
@ 2026-06-15 10:34 Paul Howarth
  0 siblings, 0 replies; only message in thread
From: Paul Howarth @ 2026-06-15 10:34 UTC (permalink / raw)
  To: git-commits

            A new commit has been pushed.

            Repo   : rpms/perl-Crypt-DSA
            Branch : f43
            Commit : 1864240d1a8b420b7b253a76a1d0f2a24f173858
            Author : Paul Howarth <paul@city-fan.org>
            Date   : 2026-06-15T11:17:50+01:00
            Stats  : +14/-3 in 2 file(s)
            URL    : https://src.fedoraproject.org/rpms/perl-Crypt-DSA/c/1864240d1a8b420b7b253a76a1d0f2a24f173858?branch=f43

            Log:
            Update to 1.21

- New upstream release 1.21
  - Fixed key material reuse for multiple signing events (CVE-2026-12205,
    CWE-323)
    - sign() reused the DSA nonce k across signatures (r and k^-1 were cached
      on the key and not regenerated), allowing private-key recovery from two
      signatures over different messages
    - Now generates a fresh nonce per signature
    - Keys used to sign more than once with an affected version should be
      considered compromised

---
diff --git a/perl-Crypt-DSA.spec b/perl-Crypt-DSA.spec
index da44d1a..d723c54 100644
--- a/perl-Crypt-DSA.spec
+++ b/perl-Crypt-DSA.spec
@@ -1,7 +1,7 @@
 Summary:	Perl module for DSA signatures and key generation
 Name:		perl-Crypt-DSA
-Version:	1.20
-Release:	2%{?dist}
+Version:	1.21
+Release:	1%{?dist}
 License:	GPL-1.0-or-later OR Artistic-1.0-Perl
 Url:		https://metacpan.org/release/Crypt-DSA
 Source0:	https://www.cpan.org/modules/by-module/Crypt/Crypt-DSA-%{version}.tar.gz
@@ -88,6 +88,17 @@ make test
 %{_mandir}/man3/Crypt::DSA::Util.3*
 
 %changelog
+* Mon Jun 15 2026 Paul Howarth <paul@city-fan.org> - 1.21-1
+- Update to 1.21
+  - Fixed key material reuse for multiple signing events (CVE-2026-12205,
+    CWE-323)
+    - sign() reused the DSA nonce k across signatures (r and k^-1 were cached
+      on the key and not regenerated), allowing private-key recovery from two
+      signatures over different messages
+    - Now generates a fresh nonce per signature
+    - Keys used to sign more than once with an affected version should be
+      considered compromised
+
 * Fri Jun 12 2026 Yaakov Selkowitz <yselkowi@redhat.com> - 1.20-2
 - Rebuilt for openssl 4.0
 

diff --git a/sources b/sources
index d094890..804620d 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (Crypt-DSA-1.20.tar.gz) = f181e90a605c5b6c9c02993168015fd26cd8351d0e6eff7044223a55324859bffb497ba53bac77970b613e4b01f93ddc915bff24493c09d215f3eada34324bb9
+SHA512 (Crypt-DSA-1.21.tar.gz) = 915bf901ea1513e0b8b942533bb1b8277da9bdded42cf23b4533290f4d0dbb559ceda5d0111c990e3412bf83d86b45dbf0b6521b0b7e973d4ae542bf2574cd4d

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-06-15 10:34 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-15 10:34 [rpms/perl-Crypt-DSA] f43: Update to 1.21 Paul Howarth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox