Package "gnupg2"
Name: |
gnupg2
|
Description: |
GNU privacy guard - a free PGP replacement (dummy transitional package)
|
Latest version: |
2.2.4-1ubuntu1.4 |
Release: |
bionic (18.04) |
Level: |
updates |
Repository: |
universe |
Homepage: |
https://www.gnupg.org/ |
Links
Download "gnupg2"
Other versions of "gnupg2" in Bionic
Packages in group
Deleted packages are displayed in grey.
Changelog
gnupg2 (2.2.4-1ubuntu1.4) bionic; urgency=medium
* d/p/dirmngr-handle-EAFNOSUPPORT-at-connect_server.patch:
- Fix IPv6 connectivity for dirmngr (LP: #1910432)
* Fix autopkgtests (LP: #1825186)
- add d/t/simple-tests from devel branch
- remove broken gpgv-win32 test from d/t/control
-- Heitor Alves de Siqueira <email address hidden> Sat, 16 Jan 2021 14:47:37 +0000
|
Source diff to previous version |
1910432 |
dirmngr doesn't work with kernel parameter ipv6.disable=1 |
1825186 |
gpgv-win32 autopkgtest always fails |
|
gnupg2 (2.2.4-1ubuntu1.3) bionic-security; urgency=medium
* SECURITY UPDATE: signature collisions via insecure SHA-1 algorithm
- debian/patches/CVE-2019-14855-1.patch: reject certain SHA-1 based
signatures in g10/sig-check.c.
- debian/patches/CVE-2019-14855-2.patch: add new option
--allow-weak-key-signatures in doc/gpg.texi, g10/gpg.c, g10/main.h,
g10/misc.c, g10/options.h, g10/sig-check.c.
- debian/patches/CVE-2019-14855-3.patch: forbid the creation of SHA-1
third-party key signatures in g10/sign.c.
- debian/patches/CVE-2019-14855-4.patch: adjust tests for now invalid
SHA-1 key signatures in tests/openpgp/defs.scm.
- CVE-2019-14855
-- Marc Deslauriers <email address hidden> Thu, 17 Sep 2020 09:57:57 -0400
|
Source diff to previous version |
CVE-2019-14855 |
A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness |
|
gnupg2 (2.2.4-1ubuntu1.2) bionic-security; urgency=medium
* SECURITY UPDATE: CSRF in dirmngr
- debian/patches/CVE-2018-1000858.patch: don't follow a redirect in
dirmngr/Makefile.am, dirmngr/http.c, dirmngr/http.h,
dirmngr/ks-engine-hkp.c, dirmngr/ks-engine-http.c,
dirmngr/t-http-basic.c, dirmngr/t-http.c.
- CVE-2018-1000858
-- Marc Deslauriers <email address hidden> Thu, 10 Jan 2019 08:07:03 -0500
|
Source diff to previous version |
CVE-2018-1000858 |
GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Infor |
|
gnupg2 (2.2.4-1ubuntu1.1) bionic-security; urgency=medium
* SECURITY UPDATE: missing sanitization of verbose output
- debian/patches/from-master/CVE-2018-12020.patch: Sanitize diagnostic with
the original file name.
- CVE-2018-12020
* SECURITY UPDATE: certify public keys without a certify key present
when using a smartcard.
- debian/patches/from-master/CVE-2018-9234-1.patch,
- debian/patches/from-master/CVE-2018-9234-2.patch: Check that a key
may do certifications.
- CVE-2018-9234
* Always use MDC encryption mode regardless of the cipher algorithm
or any preferences. The --rfc2440 option can be used to create
a message without an MDC.
- debian/patches/from-master/0003-gpg-Remove-MDC-options.patch
* Decryption of messages not using the MDC mode into a hard
failure even if a legacy cipher algorithm was used. The
option --ignore-mdc-error can be used to turn this failure
into a warning.
- debian/patches/from-master/0001-gpg-Turn-no-mdc-warn-into-a-NOP.patch
- debian/patches/from-master/0003-gpg-Remove-MDC-options.patch
- debian/patches/from-master/0004-gpg-Print-a-hint-on-how-to-decrypt-a-non-mdc-message.patch
-- Steve Beattie <email address hidden> Sun, 10 Jun 2018 21:54:05 -0700
|
CVE-2018-12020 |
mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof |
CVE-2018-9234 |
GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently |
|
About
-
Send Feedback to @ubuntu_updates