Package "gnupg2"

  gnupg2 (2.2.4-1ubuntu1.6) bionic-security; urgency=medium

  * SECURITY UPDATE: signature forgery via injection into the status line
    - debian/patches/CVE-2022-34903.patch: Fix garbled status messages in
      NOTATION_DATA in g10/cpr.c.
    - CVE-2022-34903

 -- Marc Deslauriers <email address hidden> Mon, 04 Jul 2022 12:20:59 -0400

  gnupg2 (2.2.4-1ubuntu1.5) bionic-security; urgency=medium

  * SECURITY UPDATE: Certificate Spamming Attack through SKS
    (LP: #1844059)
    - debian/patches/CVE-2019-13050-1.patch: add option to only accept
      self-signatures when importing a key in g10/import.c,
      g10/options.h and doc/gpg.texi.
    - debian/patches/CVE-2019-13050-2.patch: add fallback when importing
      self-signatures only in g10/import.c.
    - debian/patches/CVE-2019-13050-3.patch: add "self-sigs-only" and
      "import-clean" to the keyserver options in g10/gpg.c and
      doc/gpg.texi.
    - debian/patches/CVE-2019-13050-4.patch: fix regression by ensuring
      KEYID is available on a pending package in g10/import.c.
    - debian/patches/CVE-2019-13050-5.patch: prevent fallback from being
      used if the options are already used in g10/import.c.
    - CVE-2019-13050

 -- David Fernandez Gonzalez <email address hidden> Thu, 26 May 2022 12:24:46 +0200

  gnupg2 (2.2.4-1ubuntu1.4) bionic; urgency=medium

  * d/p/dirmngr-handle-EAFNOSUPPORT-at-connect_server.patch:
    - Fix IPv6 connectivity for dirmngr (LP: #1910432)
  * Fix autopkgtests (LP: #1825186)
    - add d/t/simple-tests from devel branch
    - remove broken gpgv-win32 test from d/t/control

 -- Heitor Alves de Siqueira <email address hidden> Sat, 16 Jan 2021 14:47:37 +0000

  gnupg2 (2.2.4-1ubuntu1.3) bionic-security; urgency=medium

  * SECURITY UPDATE: signature collisions via insecure SHA-1 algorithm
    - debian/patches/CVE-2019-14855-1.patch: reject certain SHA-1 based
      signatures in g10/sig-check.c.
    - debian/patches/CVE-2019-14855-2.patch: add new option
      --allow-weak-key-signatures in doc/gpg.texi, g10/gpg.c, g10/main.h,
      g10/misc.c, g10/options.h, g10/sig-check.c.
    - debian/patches/CVE-2019-14855-3.patch: forbid the creation of SHA-1
      third-party key signatures in g10/sign.c.
    - debian/patches/CVE-2019-14855-4.patch: adjust tests for now invalid
      SHA-1 key signatures in tests/openpgp/defs.scm.
    - CVE-2019-14855

 -- Marc Deslauriers <email address hidden> Thu, 17 Sep 2020 09:57:57 -0400

  gnupg2 (2.2.4-1ubuntu1.2) bionic-security; urgency=medium

  * SECURITY UPDATE: CSRF in dirmngr
    - debian/patches/CVE-2018-1000858.patch: don't follow a redirect in
      dirmngr/Makefile.am, dirmngr/http.c, dirmngr/http.h,
      dirmngr/ks-engine-hkp.c, dirmngr/ks-engine-http.c,
      dirmngr/t-http-basic.c, dirmngr/t-http.c.
    - CVE-2018-1000858

 -- Marc Deslauriers <email address hidden> Thu, 10 Jan 2019 08:07:03 -0500