UbuntuUpdates.org

Package "gpgv"

Name: gpgv

Description:

GNU privacy guard - signature verification tool

Latest version: 1.4.16-1ubuntu2.6
Release: trusty (14.04)
Level: updates
Repository: main
Head package: gnupg
Homepage: http://www.gnupg.org

Links


Download "gpgv"


Other versions of "gpgv" in Trusty

Repository Area Version
base main 1.4.16-1ubuntu2
security main 1.4.16-1ubuntu2.6

Changelog

Version: 1.4.16-1ubuntu2.6 2018-08-07 04:08:36 UTC

  gnupg (1.4.16-1ubuntu2.6) trusty-security; urgency=medium

  * SECURITY UPDATE: full RSA key recovery via side-channel attack
    - debian/patches/CVE-2017-7526-1.patch: simplify loop in mpi/mpi-pow.c.
    - debian/patches/CVE-2017-7526-2.patch: use same computation for square
      and multiply in mpi/mpi-pow.c.
    - debian/patches/CVE-2017-7526-3.patch: fix allocation size for mpi_pow
    - debian/patches/CVE-2017-7526-4.patch: add exponent blinding in
      cipher/rsa.c.
    - debian/patches/CVE-2017-7526-5.patch: allow different build directory
    - CVE-2017-7526

 -- Alex Murray <email address hidden> Mon, 06 Aug 2018 10:40:15 +0930

Source diff to previous version
CVE-2017-7526 Use of left-to-right sliding window method allows full RSA key recovery

Version: 1.4.16-1ubuntu2.5 2018-06-11 23:06:47 UTC

  gnupg (1.4.16-1ubuntu2.5) trusty-security; urgency=medium

  * SECURITY UPDATE: missing sanitization of verbose output
    - debian/patches/CVE-2018-12020.patch: Sanitize diagnostic with
      the original file name.
    - CVE-2018-12020

 -- Steve Beattie <email address hidden> Fri, 08 Jun 2018 22:31:18 -0700

Source diff to previous version
CVE-2018-12020 mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof

Version: 1.4.16-1ubuntu2.4 2016-08-18 21:07:11 UTC

  gnupg (1.4.16-1ubuntu2.4) trusty-security; urgency=medium

  * SECURITY UPDATE: random number generator prediction
    - debian/patches/CVE-2016-6313-1.patch: improve readability by using a
      macro in cipher/random.c.
    - debian/patches/CVE-2016-6313-2.patch: hash continuous areas in the
      csprng pool in cipher/random.c.
    - CVE-2016-6313

 -- Marc Deslauriers <email address hidden> Wed, 17 Aug 2016 13:35:58 -0400

Source diff to previous version

Version: 1.4.16-1ubuntu2.3 2015-04-01 16:06:55 UTC

  gnupg (1.4.16-1ubuntu2.3) trusty-security; urgency=medium

  * Screen responses from keyservers (LP: #1409117)
    - d/p/0001-Screen-keyserver-responses.patch
    - d/p/0002-Make-screening-of-keyserver-result-work-with-multi-k.patch
    - d/p/0003-Add-kbnode_t-for-easier-backporting.patch
    - d/p/0004-gpg-Fix-regression-due-to-the-keyserver-import-filte.patch
  * Fix large key size regression from CVE-2014-5270 changes (LP: #1371766)
    - d/p/Add-build-and-runtime-support-for-larger-RSA-key.patch
    - debian/rules: build with --enable-large-secmem
  * SECURITY UPDATE: sidechannel attack on Elgamal
    - debian/patches/CVE-2014-3591.patch: use ciphertext blinding in
      cipher/elgamal.c.
    - CVE-2014-3591
  * SECURITY UPDATE: sidechannel attack via timing variations in mpi_powm
    - debian/patches/CVE-2015-0837.patch: avoid timing variations in
      include/mpi.h, mpi/mpi-pow.c, mpi/mpiutil.c.
    - CVE-2015-0837
  * SECURITY UPDATE: invalid memory read via invalid keyring
    - debian/patches/CVE-2015-1606.patch: skip all packets not allowed in
      a keyring in g10/keyring.c.
    - CVE-2015-1606
  * SECURITY UPDATE: memcpy with overlapping ranges
    - debian/patches/CVE-2015-1607.patch: use inline functions to convert
      buffer data to scalars in g10/apdu.c, g10/app-openpgp.c,
      g10/build-packet.c, g10/ccid-driver.c, g10/getkey.c, g10/keygen.c,
      g10/keyid.c, g10/misc.c, g10/parse-packet.c, g10/tdbio.c,
      g10/trustdb.c, include/host2net.h.
    - CVE-2015-1607
 -- Marc Deslauriers <email address hidden> Fri, 27 Mar 2015 08:22:48 -0400

Source diff to previous version
1371766 Latest CVE-2014-5270 patch breaks ElGamal keys of 16k
CVE-2014-5270 side-channel attack on Elgamal encryption subkeys
CVE-2014-3591 sidechannel attack on Elgamal
CVE-2015-0837 data-dependent timing variations in modular exponentiation
CVE-2015-1606 use after free resulting from failure to skip invalid packets
CVE-2015-1607 memcpy with overlapping ranges, resulting from incorrect bitwise left shifts

Version: 1.4.16-1ubuntu2.1 2014-06-26 20:06:39 UTC

  gnupg (1.4.16-1ubuntu2.1) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via uncompressing garbled packets
    - debian/patches/CVE-2014-4617.patch: limit number of extra bytes in
      g10/compress.c.
    - CVE-2014-4617
 -- Marc Deslauriers <email address hidden> Thu, 26 Jun 2014 08:26:05 -0400

CVE-2014-4617 The do_uncompress function in g10/compress.c in GnuPG 1.x before ...



About   -   Send Feedback to @ubuntu_updates