UbuntuUpdates.org

Package "gnupg"

Name: gnupg

Description:

GNU privacy guard - a free PGP replacement

Latest version: 2.2.4-1ubuntu1.6
Release: bionic (18.04)
Level: security
Repository: main
Head package: gnupg2
Homepage: https://www.gnupg.org/

Links


Download "gnupg"


Other versions of "gnupg" in Bionic

Repository Area Version
base main 2.2.4-1ubuntu1
updates main 2.2.4-1ubuntu1.6

Changelog

Version: 2.2.4-1ubuntu1.6 2022-07-05 21:45:37 UTC

  gnupg2 (2.2.4-1ubuntu1.6) bionic-security; urgency=medium

  * SECURITY UPDATE: signature forgery via injection into the status line
    - debian/patches/CVE-2022-34903.patch: Fix garbled status messages in
      NOTATION_DATA in g10/cpr.c.
    - CVE-2022-34903

 -- Marc Deslauriers <email address hidden> Mon, 04 Jul 2022 12:20:59 -0400

Source diff to previous version
CVE-2022-34903 GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g.

Version: 2.2.4-1ubuntu1.5 2022-05-30 09:06:15 UTC

  gnupg2 (2.2.4-1ubuntu1.5) bionic-security; urgency=medium

  * SECURITY UPDATE: Certificate Spamming Attack through SKS
    (LP: #1844059)
    - debian/patches/CVE-2019-13050-1.patch: add option to only accept
      self-signatures when importing a key in g10/import.c,
      g10/options.h and doc/gpg.texi.
    - debian/patches/CVE-2019-13050-2.patch: add fallback when importing
      self-signatures only in g10/import.c.
    - debian/patches/CVE-2019-13050-3.patch: add "self-sigs-only" and
      "import-clean" to the keyserver options in g10/gpg.c and
      doc/gpg.texi.
    - debian/patches/CVE-2019-13050-4.patch: fix regression by ensuring
      KEYID is available on a pending package in g10/import.c.
    - debian/patches/CVE-2019-13050-5.patch: prevent fallback from being
      used if the options are already used in g10/import.c.
    - CVE-2019-13050

 -- David Fernandez Gonzalez <email address hidden> Thu, 26 May 2022 12:24:46 +0200

Source diff to previous version
1844059 Please apply mitigations for CVE-2019-13050
CVE-2019-13050 Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyse

Version: 2.2.4-1ubuntu1.3 2020-09-17 19:06:53 UTC

  gnupg2 (2.2.4-1ubuntu1.3) bionic-security; urgency=medium

  * SECURITY UPDATE: signature collisions via insecure SHA-1 algorithm
    - debian/patches/CVE-2019-14855-1.patch: reject certain SHA-1 based
      signatures in g10/sig-check.c.
    - debian/patches/CVE-2019-14855-2.patch: add new option
      --allow-weak-key-signatures in doc/gpg.texi, g10/gpg.c, g10/main.h,
      g10/misc.c, g10/options.h, g10/sig-check.c.
    - debian/patches/CVE-2019-14855-3.patch: forbid the creation of SHA-1
      third-party key signatures in g10/sign.c.
    - debian/patches/CVE-2019-14855-4.patch: adjust tests for now invalid
      SHA-1 key signatures in tests/openpgp/defs.scm.
    - CVE-2019-14855

 -- Marc Deslauriers <email address hidden> Thu, 17 Sep 2020 09:57:57 -0400

Source diff to previous version
CVE-2019-14855 A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness

Version: 2.2.4-1ubuntu1.2 2019-01-10 18:06:36 UTC

  gnupg2 (2.2.4-1ubuntu1.2) bionic-security; urgency=medium

  * SECURITY UPDATE: CSRF in dirmngr
    - debian/patches/CVE-2018-1000858.patch: don't follow a redirect in
      dirmngr/Makefile.am, dirmngr/http.c, dirmngr/http.h,
      dirmngr/ks-engine-hkp.c, dirmngr/ks-engine-http.c,
      dirmngr/t-http-basic.c, dirmngr/t-http.c.
    - CVE-2018-1000858

 -- Marc Deslauriers <email address hidden> Thu, 10 Jan 2019 08:07:03 -0500

Source diff to previous version
CVE-2018-1000858 GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Infor

Version: 2.2.4-1ubuntu1.1 2018-06-11 22:06:49 UTC

  gnupg2 (2.2.4-1ubuntu1.1) bionic-security; urgency=medium

  * SECURITY UPDATE: missing sanitization of verbose output
    - debian/patches/from-master/CVE-2018-12020.patch: Sanitize diagnostic with
      the original file name.
    - CVE-2018-12020
  * SECURITY UPDATE: certify public keys without a certify key present
    when using a smartcard.
    - debian/patches/from-master/CVE-2018-9234-1.patch,
    - debian/patches/from-master/CVE-2018-9234-2.patch: Check that a key
      may do certifications.
    - CVE-2018-9234
  * Always use MDC encryption mode regardless of the cipher algorithm
    or any preferences. The --rfc2440 option can be used to create
    a message without an MDC.
    - debian/patches/from-master/0003-gpg-Remove-MDC-options.patch
  * Decryption of messages not using the MDC mode into a hard
    failure even if a legacy cipher algorithm was used. The
    option --ignore-mdc-error can be used to turn this failure
    into a warning.
    - debian/patches/from-master/0001-gpg-Turn-no-mdc-warn-into-a-NOP.patch
    - debian/patches/from-master/0003-gpg-Remove-MDC-options.patch
    - debian/patches/from-master/0004-gpg-Print-a-hint-on-how-to-decrypt-a-non-mdc-message.patch

 -- Steve Beattie <email address hidden> Sun, 10 Jun 2018 21:54:05 -0700

CVE-2018-12020 mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof
CVE-2018-9234 GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently



About   -   Send Feedback to @ubuntu_updates