UbuntuUpdates.org

Package "gnupg2"

Name: gnupg2

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • GNU privacy guard - network certificate management service
  • GNU privacy guard - a free PGP replacement
  • GNU privacy guard - localization files
  • GNU privacy guard - utility programs

Latest version: 2.2.4-1ubuntu1.6
Release: bionic (18.04)
Level: updates
Repository: main

Links



Other versions of "gnupg2" in Bionic

Repository Area Version
base universe 2.2.4-1ubuntu1
base main 2.2.4-1ubuntu1
security universe 2.2.4-1ubuntu1.6
security main 2.2.4-1ubuntu1.6
updates universe 2.2.4-1ubuntu1.6

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.2.4-1ubuntu1.1 2018-06-11 23:06:52 UTC

  gnupg2 (2.2.4-1ubuntu1.1) bionic-security; urgency=medium

  * SECURITY UPDATE: missing sanitization of verbose output
    - debian/patches/from-master/CVE-2018-12020.patch: Sanitize diagnostic with
      the original file name.
    - CVE-2018-12020
  * SECURITY UPDATE: certify public keys without a certify key present
    when using a smartcard.
    - debian/patches/from-master/CVE-2018-9234-1.patch,
    - debian/patches/from-master/CVE-2018-9234-2.patch: Check that a key
      may do certifications.
    - CVE-2018-9234
  * Always use MDC encryption mode regardless of the cipher algorithm
    or any preferences. The --rfc2440 option can be used to create
    a message without an MDC.
    - debian/patches/from-master/0003-gpg-Remove-MDC-options.patch
  * Decryption of messages not using the MDC mode into a hard
    failure even if a legacy cipher algorithm was used. The
    option --ignore-mdc-error can be used to turn this failure
    into a warning.
    - debian/patches/from-master/0001-gpg-Turn-no-mdc-warn-into-a-NOP.patch
    - debian/patches/from-master/0003-gpg-Remove-MDC-options.patch
    - debian/patches/from-master/0004-gpg-Print-a-hint-on-how-to-decrypt-a-non-mdc-message.patch

 -- Steve Beattie <email address hidden> Sun, 10 Jun 2018 21:54:05 -0700

CVE-2018-12020 mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof
CVE-2018-9234 GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently



About   -   Send Feedback to @ubuntu_updates