Change log for gnupg package in Ubuntu
| 76 → 121 of 121 results | First • Previous • Next • Last |
| Superseded in karmic-release |
gnupg (1.4.9-4ubuntu1) karmic; urgency=low
* Merge from debian unstable, remaining changes:
- Add 'debian/patches/50_disable_mlock_test.dpatch': Disable mlock() test
since it fails with ulimit 0 (on buildds).
- Add 'debian/patches/61_use_agent_default.dpatch': Patch to set gpg
(or gpg2) and gpgsm to use a passphrase agent by default (lp: 15485)
- Add libcurl4-gnutls-dev to Build-Depends to fix gpg running into a
timeout updating the keyring (lp: 62864)
- Add 'debian/patches/55_curl_typefix.dpatch': Fix a build error with recent
curl and gcc 4.3
Available diffs
gnupg (1.4.9-3ubuntu1) intrepid; urgency=low * Merge from debian unstable (lp: #225005), remaining changes: - Add 'debian/patches/50_disable_mlock_test.dpatch': Disable mlock() test since it fails with ulimit 0 (on buildds). - Add 'debian/patches/61_use_agent_default.dpatch': Patch to set gpg (or gpg2) and gpgsm to use a passphrase agent by default (lp: 15485) - Add libcurl4-gnutls-dev to Build-Depends to fix gpg running into a timeout updating the keyring (lp: 62864) * Dropped Ubuntu patches, applied upstream: - 50_show_primary_only.dpatch - 60_install_options_skel.dpatch * Add 'debian/patches/55_curl_typefix.dpatch': Fix a build error with recent curl and gcc 4.3 (lp: #247679). Patch taken from upstream: http://lists.gnupg.org/pipermail/gnupg-devel/2008-April/024344.html
Available diffs
gnupg (1.4.6-2ubuntu5) hardy; urgency=low * No-change rebuild against libldap-2.4-2. -- Steve Langasek <email address hidden> Wed, 23 Jan 2008 10:49:38 +0000
gnupg (1.4.6-2ubuntu4) gutsy; urgency=low
* debian/patches/70_trust_error.dpatch: Removed as it broke setting the
trust level to 1 (LP: #147343).
-- Michael Bienia <email address hidden> Mon, 01 Oct 2007 21:52:52 +0200
| Obsolete in feisty-backports |
gnupg (1.4.6-2ubuntu3~feisty1) feisty-backports; urgency=low * Feisty backport -- Jonathan Riddell <email address hidden> Thu, 2 Aug 2007 09:40:55 +0000
| Superseded in gutsy-release |
gnupg (1.4.6-2ubuntu3) gutsy; urgency=low
[ Scott Kitterman ]
* Add 'debian/patches/60_install_options_skel.dpatch': Patch to
install options file from upstream (LP: #76983)
* Add 'debian/patches/61_use_agent_default.dpatch': Patch to set gpg
(or gpg2) and gpgsm to use a passphrase agent by default (LP: #15485)
* Add 'debian/patches/70_trust_error.dpatch': Patch to disallow illegal
zero response for trust level changes (LP: #39459)
[ Michael Bienia ]
* Add libcurl4-gnutls-dev to Build-Depends to fix gpg running into a timeout
updating the keyring (LP: #62864)
-- Michael Bienia <email address hidden> Fri, 06 Jul 2007 20:56:05 +0200
| Superseded in gutsy-release |
gnupg (1.4.6-2ubuntu2) gutsy; urgency=low
* Add 'debian/patches/50_show_primary_only.dpatch': add
'show-primary-uid-only' to verify options, to suppress 'aka' output
in key verifications, backported from 1.4.7 upstream.
-- Kees Cook <email address hidden> Tue, 15 May 2007 12:09:41 -0700
| Superseded in gutsy-release |
gnupg (1.4.6-2ubuntu1) gutsy; urgency=low
* Merge from debian unstable, remaining changes:
- config.h.in: Disable mlock() test since it fails with ulimit 0 (on
buildds).
- debian/rules:
+ Do not install gpg as suid root, since that is not necessary with
kernels 2.6.8+.
+ Make the build fail if the test suite fails.
- debian/control: Maintainer field update.
gnupg (1.4.3-2ubuntu3.3) edgy-security; urgency=low
* SECURITY UPDATE: without --status-fd, forged inline sigs can appear valid.
* debian/patches/50_stop_multiple_messages.dpatch: ported upstream patch.
* References
ftp://ftp.gnupg.org/gcrypt/gnupg/patches/gnupg-1.4.6-multiple-message.patch
CVE-2007-1263
-- Kees Cook <email address hidden> Wed, 7 Mar 2007 14:10:02 -0800
gnupg (1.4.2.2-1ubuntu2.5) dapper-security; urgency=low
* SECURITY UPDATE: without --status-fd, forged inline sigs can appear valid.
* debian/patches/50_stop_multiple_messages.dpatch: ported upstream patch.
* References
ftp://ftp.gnupg.org/gcrypt/gnupg/patches/gnupg-1.4.6-multiple-message.patch
CVE-2007-1263
-- Kees Cook <email address hidden> Wed, 7 Mar 2007 14:13:56 -0800
| Obsolete in breezy-security |
gnupg (1.4.1-1ubuntu1.7) breezy-security; urgency=low
* SECURITY UPDATE: without --status-fd, forged inline sigs can appear valid.
* debian/patches/50_stop_multiple_messages.dpatch: ported upstream patch.
* References
ftp://ftp.gnupg.org/gcrypt/gnupg/patches/gnupg-1.4.6-multiple-message.patch
CVE-2007-1263
-- Kees Cook <email address hidden> Wed, 7 Mar 2007 14:31:54 -0800
gnupg (1.4.6-1ubuntu2) feisty; urgency=low
* SECURITY UPDATE: without --status-fd, forged inline sigs can appear valid.
* debian/patches/50_stop_multiple_messages.dpatch: upstream patch.
* References
ftp://ftp.gnupg.org/gcrypt/gnupg/patches/gnupg-1.4.6-multiple-message.patch
CVE-2007-1263
-- Kees Cook <email address hidden> Wed, 7 Mar 2007 11:53:20 -0800
| Superseded in feisty-release |
gnupg (1.4.6-1ubuntu1) feisty; urgency=low
* Merge from debian unstable, remaining changes:
- config.h.in: Disable mlock() test since it fails with ulimit 0 (on
buildds).
- debian/rules:
+ Do not install gpg as suid root, since that is not necessary with
kernels 2.6.8+.
+ Make the build fail if the test suite fails.
| Superseded in edgy-security |
gnupg (1.4.3-2ubuntu3.2) edgy-security; urgency=low
* SECURITY UPDATE: unwound stack data use, leading to arbitrary code
execution.
* Add debian/patches/29_dxf_context_stack.dpatch: upstream patch, use heap
for allocation instead.
* References
http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000491.html
CVE-2006-6235
-- Kees Cook <email address hidden> Wed, 6 Dec 2006 11:56:02 -0800
| Superseded in dapper-security |
gnupg (1.4.2.2-1ubuntu2.4) dapper-security; urgency=low
* SECURITY UPDATE: unwound stack data use, leading to arbitrary code
execution.
* Add debian/patches/29_dxf_context_stack.dpatch: upstream patch, use heap
for allocation instead.
* References
http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000491.html
CVE-2006-6235
-- Kees Cook <email address hidden> Wed, 6 Dec 2006 12:24:58 -0800
| Superseded in breezy-security |
gnupg (1.4.1-1ubuntu1.6) breezy-security; urgency=low
* SECURITY UPDATE: unwound stack data use, leading to arbitrary code
execution.
* Add debian/patches/29_dxf_context_stack.dpatch: upstream patch, use heap
for allocation instead.
* References
http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000491.html
CVE-2006-6235
-- Kees Cook <email address hidden> Wed, 6 Dec 2006 13:39:49 -0800
| Superseded in feisty-release |
gnupg (1.4.5-3ubuntu2) feisty; urgency=low
* SECURITY UPDATE: unwound stack data use, leading to arbitrary code
execution.
* Add debian/patches/29_dxf_context_stack.dpatch: upstream patch, use heap
for allocation instead.
* References
CVE-2006-6235
-- Kees Cook <email address hidden> Wed, 6 Dec 2006 11:46:44 -0800
| Superseded in edgy-security |
gnupg (1.4.3-2ubuntu3.1) edgy-security; urgency=low
* SECURITY UPDATE: Local arbitrary code execution.
* Add debian/patches/28_filename_prompt_overflow.dpatch to fix buffer
overflow, taken from upstream.
* References
http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000241.html
-- Kees Cook <email address hidden> Tue, 28 Nov 2006 14:27:31 -0800
| Superseded in dapper-security |
gnupg (1.4.2.2-1ubuntu2.3) dapper-security; urgency=low
* SECURITY UPDATE: Local arbitrary code execution.
* Add debian/patches/28_filename_prompt_overflow.dpatch to fix buffer
overflow, taken from upstream.
* References
http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000241.html
-- Kees Cook <email address hidden> Tue, 28 Nov 2006 13:54:12 -0800
| Superseded in breezy-security |
gnupg (1.4.1-1ubuntu1.5) breezy-security; urgency=low
* SECURITY UPDATE: Local arbitrary code execution.
* Add debian/patches/28_filename_prompt_overflow.dpatch to fix buffer
overflow, taken from upstream.
* References
http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000241.html
-- Kees Cook <email address hidden> Tue, 28 Nov 2006 13:41:10 -0800
| Superseded in feisty-release |
gnupg (1.4.5-3ubuntu1) feisty; urgency=low
* Merge to Debian unstable. Remaining Ubuntu changes:
- config.h.in: Disable mlock() test since it fails with ulimit 0 (on
buildds).
- debian/rules:
+ Do not install gpg as suid root, since that is not necessary with
kernels 2.6.8+.
+ Make the build fail if the test suite fails.
| Superseded in feisty-release |
gnupg (1.4.5-2ubuntu1) feisty; urgency=low
* Merge to Debian unstable. Remaining Ubuntu changes:
- config.h.in: Disable mlock() test since it fails with ulimit 0 (on
buildds).
- debian/rules:
+ Do not install gpg as suid root, since that is not necessary with
kernels 2.6.8+.
+ Make the build fail if the test suite fails.
| Superseded in dapper-security |
gnupg (1.4.2.2-1ubuntu2.2) dapper-security; urgency=low
* SECURITY UPDATE: Local arbitrary code execution.
* Add debian/patches/27_comment_control_overflow.dpatch:
- Fix buffer overflows in parse_comment() and parse_gpg_control().
- Patch extracted from stable 1.4.5 release.
- Reproducer:
perl -e 'print "\xfd\xff\xff\xff\xff\xfe"'| gpg --no-armor
- Credit: Evgeny Legerov
- CVE-2006-3746
-- Martin Pitt <email address hidden> Thu, 3 Aug 2006 06:04:42 +0000
| Superseded in breezy-security |
gnupg (1.4.1-1ubuntu1.4) breezy-security; urgency=low
* SECURITY UPDATE: Local arbitrary code execution.
* Add debian/patches/27_comment_control_overflow.dpatch:
- Fix buffer overflows in parse_comment() and parse_gpg_control().
- Patch extracted from stable 1.4.5 release.
- Reproducer:
perl -e 'print "\xfd\xff\xff\xff\xff\xfe"'| gpg --no-armor
- Credit: Evgeny Legerov
- CVE-2006-3746
-- Martin Pitt <email address hidden> Thu, 3 Aug 2006 06:18:48 +0000
| Obsolete in hoary-security |
gnupg (1.2.5-3ubuntu5.5) hoary-security; urgency=low
* SECURITY UPDATE: Local arbitrary code execution.
* Add debian/patches/27_comment_control_overflow.dpatch:
- Fix buffer overflows in parse_comment() and parse_gpg_control().
- Patch extracted from stable 1.4.5 release.
- Reproducer:
perl -e 'print "\xfd\xff\xff\xff\xff\xfe"'| gpg --no-armor
- Credit: Evgeny Legerov
- CVE-2006-3746
-- Martin Pitt <email address hidden> Thu, 3 Aug 2006 06:21:37 +0000
gnupg (1.4.3-2ubuntu3) edgy; urgency=low
* SECURITY UPDATE: Local arbitrary code execution.
* Add debian/patches/27_comment_control_overflow.dpatch:
- Fix buffer overflows in parse_comment() and parse_gpg_control().
- Patch extracted from stable 1.4.5 release.
- Reproducer:
perl -e 'print "\xfd\xff\xff\xff\xff\xfe"'| gpg --no-armor
- Credit: Evgeny Legerov
- CVE-2006-3746
-- Martin Pitt <email address hidden> Thu, 3 Aug 2006 08:11:46 +0200
| Superseded in edgy-release |
gnupg (1.4.3-2ubuntu2) edgy; urgency=low
* Rebuild with current zlib1g-dev to fix udeb shlibdeps. Thanks to Evan
Dandrea for noticing.
-- Colin Watson <email address hidden> Mon, 31 Jul 2006 11:21:55 +0100
| Superseded in edgy-release |
gnupg (1.4.3-2ubuntu1) edgy; urgency=low
* Sync with Debian:
Remaining Ubuntu changes:
+ config.h.in: Disable mlock() test since it fails with ulimit 0 (on
buildds).
+ debian/patches/20_no_tty_fix.dpatch:
- dropped, upstream now
+ debian/rules:
- don't use the included gettext
- Don't install gpg as suid root, since that is not necessary with
kernels 2.6.8+
- Make the build fail if the test suite fails
| Superseded in dapper-security |
gnupg (1.4.2.2-1ubuntu2.1) dapper-security; urgency=low
* SECURITY UPDATE: Crash and possibly arbitrary code execution.
* Add debian/patches/26_user_id_overflow.dpatch:
- Cap size of user ID packets to avoid overflow.
- Patch ported from Debian's 1.4.3-2, originally from upstream SVN.
- CVE-2006-3082
-- Martin Pitt <email address hidden> Mon, 26 Jun 2006 12:26:08 +0200
| Superseded in breezy-security |
gnupg (1.4.1-1ubuntu1.3) breezy-security; urgency=low
* SECURITY UPDATE: Crash and possibly arbitrary code execution.
* Add debian/patches/26_user_id_overflow.dpatch:
- Cap size of user ID packets to avoid overflow.
- Patch ported from Debian's 1.4.3-2, originally from upstream SVN.
- CVE-2006-3082
-- Martin Pitt <email address hidden> Mon, 26 Jun 2006 10:28:30 +0000
| Superseded in hoary-security |
gnupg (1.2.5-3ubuntu5.4) hoary-security; urgency=low
* SECURITY UPDATE: Crash and possibly arbitrary code execution.
* Add debian/patches/26_user_id_overflow.dpatch:
- Cap size of user ID packets to avoid overflow.
- Patch ported from Debian's 1.4.3-2, originally from upstream SVN.
- CVE-2006-3082
-- Martin Pitt <email address hidden> Mon, 26 Jun 2006 10:46:56 +0000
gnupg (1.4.2.2-1ubuntu2) dapper; urgency=low
* debian/rules:
- Remove --with-included-gettext configure option; use libc's gettext to
get language pack support. Closes: LP#25609
- rm'ing locale.alias is not necessary with this change, so change it to
rm -f to not break the build.
-- Martin Pitt <email address hidden> Mon, 3 Apr 2006 18:21:19 +0200
| Superseded in breezy-security |
gnupg (1.4.1-1ubuntu1.2) breezy-security; urgency=low
* SECURITY UPDATE: Fix signature verification bypass.
* Add debian/patches/21_CVE-2006-0049.dpatch:
- Apply upstream patch to fix correct verification on invalid multiple
signatures.
- CVE-2006-0049
-- Martin Pitt <email address hidden> Mon, 13 Mar 2006 12:22:57 +0000
| Superseded in hoary-security |
gnupg (1.2.5-3ubuntu5.3) hoary-security; urgency=low
* SECURITY UPDATE: Fix signature verification bypass.
* Add debian/patches/24_multisig.dpatch:
- Apply upstream patch to fix correct verification on invalid multiple
signatures.
- CVE-2006-0049
-- Martin Pitt <email address hidden> Mon, 13 Mar 2006 12:44:27 +0000
| Obsolete in warty-security |
gnupg (1.2.4-4ubuntu2.3) warty-security; urgency=low
* SECURITY UPDATE: Fix signature verification bypass.
* Add debian/patches/24_multisig.dpatch:
- Apply upstream patch to fix correct verification on invalid multiple
signatures.
- CVE-2006-0049
-- Martin Pitt <email address hidden> Mon, 13 Mar 2006 12:46:22 +0000
| Superseded in dapper-release |
gnupg (1.4.2.2-1ubuntu1) dapper; urgency=low
* Resynchronize with Debian, UVF exception approved by Matt. 1.4.2.2 only
contains a security fix, updated test cases, and updated translations.
* For reference and to ease future merges, these are the remaining Ubuntu
changes:
- debian/rules: Make the build fail if the test suite fails.
- debian/changelog: Add missing CVE number.
- Don't install gpg as suid root, since that is not necessary with kernels
2.6.8+.
- config.h.in: Disable mlock() test since it fails with ulimit 0 (on
buildds).
- debian/patches/20_no_tty_fix.dpatch: Malone #5570
| Superseded in breezy-security |
gnupg (1.4.1-1ubuntu1.1) breezy-security; urgency=low
* SECURITY UPDATE: Fix potential signature verification bypass.
* Add debian/patches/23_verify_exit_code.dpatch:
- Security fix for a verification weakness in gpgv. Some input
could lead to gpgv exiting with 0 even if the detached signature
file did not carry any signature. This is not as fatal as it
might seem because the suggestion as always been not to rely on
th exit code but to parse the --status-fd messages. However it
is likely that gpgv is used in that simplified way and thus we
do this release. Same problem with "gpg --verify" but nobody
should have used this for signature verification without
checking the status codes anyway.
- Upstream patch from 1.4.2.1.
- CVE-2006-0455
-- Martin Pitt <email address hidden> Fri, 17 Feb 2006 09:55:02 +0000
| Superseded in hoary-security |
gnupg (1.2.5-3ubuntu5.2) hoary-security; urgency=low
* SECURITY UPDATE: Fix potential signature verification bypass.
* Add debian/patches/23_verify_exit_code.dpatch:
- Security fix for a verification weakness in gpgv. Some input
could lead to gpgv exiting with 0 even if the detached signature
file did not carry any signature. This is not as fatal as it
might seem because the suggestion as always been not to rely on
th exit code but to parse the --status-fd messages. However it
is likely that gpgv is used in that simplified way and thus we
do this release. Same problem with "gpg --verify" but nobody
should have used this for signature verification without
checking the status codes anyway.
- Upstream patch from 1.4.2.1.
- CVE-2006-0455
-- Martin Pitt <email address hidden> Fri, 17 Feb 2006 10:39:23 +0000
| Superseded in warty-security |
gnupg (1.2.4-4ubuntu2.2) warty-security; urgency=low
* SECURITY UPDATE: Fix potential signature verification bypass.
* Add debian/patches/23_verify_exit_code.dpatch:
- Security fix for a verification weakness in gpgv. Some input
could lead to gpgv exiting with 0 even if the detached signature
file did not carry any signature. This is not as fatal as it
might seem because the suggestion as always been not to rely on
th exit code but to parse the --status-fd messages. However it
is likely that gpgv is used in that simplified way and thus we
do this release. Same problem with "gpg --verify" but nobody
should have used this for signature verification without
checking the status codes anyway.
- Upstream patch from 1.4.2.1.
- CVE-2006-0455
-- Martin Pitt <email address hidden> Fri, 17 Feb 2006 11:11:51 +0000
| Superseded in dapper-release |
gnupg (1.4.2.1-0ubuntu1) dapper; urgency=low
* New upstream security bugfix release, only contains the following changes:
- Security fix for a verification weakness in gpgv. Some input
could lead to gpgv exiting with 0 even if the detached signature
file did not carry any signature. This is not as fatal as it
might seem because the suggestion as always been not to rely on
th exit code but to parse the --status-fd messages. However it
is likely that gpgv is used in that simplified way and thus we
do this release. Same problem with "gpg --verify" but nobody
should have used this for signature verification without
checking the status codes anyway. [CVE-2006-0455]
- Added a test case for above vulnerability.
* debian/rules: Call the test suite during build. (Will fail the build
if the test suite fails.)
-- Martin Pitt <email address hidden> Fri, 17 Feb 2006 11:18:27 +0100
gnupg (1.4.2-2ubuntu2) dapper; urgency=low
* Add 20_no_tty_fix.dpatch:
- Do not open /dev/tty if --no-tty is specified, since this breaks
programs like seahorse.
- Patch also accepted upstream.
- Thanks to Ryan Lortie <email address hidden> for the patch.
- Malone #5570
-- Martin Pitt <email address hidden> Fri, 16 Dec 2005 16:57:39 +0100
| Obsolete in breezy-release |
gnupg (1.4.1-1ubuntu1) breezy; urgency=low * Resynchronise with Debian, fixing changelog ordering. * Added CAN number to previous changelog entry. -- Martin Pitt <email address hidden> Fri, 10 Jun 2005 10:36:38 +0200
| Superseded in hoary-security |
gnupg (1.2.5-3ubuntu5.1) hoary-security; urgency=low
* SECURITY UPDATE: Fix possible encryption weakening.
* Add debian/patches/21_disable_quick_scan.dpatch:
- Disable quick scan feature to avoid being vulnerable to Serge Mister'
and Robert Zuccherato's timing attack.
- CAN-2005-0366
-- Martin Pitt <email address hidden> Fri, 19 Aug 2005 16:21:49 +0200
| Obsolete in hoary-release |
gnupg (1.2.5-3ubuntu5) hoary; urgency=low
* debian/rules: Call pkgstriptranslations if present (the package does not
use debhelper, thus it does not happen automatically).
-- Martin Pitt <email address hidden> Fri, 18 Mar 2005 13:04:50 +0000
| Superseded in warty-security |
gnupg (1.2.4-4ubuntu2.1) warty-security; urgency=low
* SECURITY UPDATE: Fix possible encryption weakening.
* Add debian/patches/17_disable_quick_scan.dpatch:
- Disable quick scan feature to avoid being vulnerable to Serge Mister'
and Robert Zuccherato's timing attack.
- CAN-2005-0366
-- Martin Pitt <email address hidden> Fri, 19 Aug 2005 16:15:14 +0200
| Obsolete in warty-release |
gnupg (1.2.4-4ubuntu2) warty; urgency=low
* Do not configure with --with-capabilities, and do not install gnupg as
suid root any more since the Ubuntu kernel now supports calling mlock() as
user.
-- Martin Pitt <email address hidden> Tue, 14 Sep 2004 07:57:14 +0200
| 76 → 121 of 121 results | First • Previous • Next • Last |
