Ubuntu
gnupg2 package

  1. Bug #1844059
  2. Comment #6

Comment 6 for bug 1844059

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnupg2 - 2.2.4-1ubuntu1.5

---------------
gnupg2 (2.2.4-1ubuntu1.5) bionic-security; urgency=medium

  * SECURITY UPDATE: Certificate Spamming Attack through SKS
    (LP: #1844059)
    - debian/patches/CVE-2019-13050-1.patch: add option to only accept
      self-signatures when importing a key in g10/import.c,
      g10/options.h and doc/gpg.texi.
    - debian/patches/CVE-2019-13050-2.patch: add fallback when importing
      self-signatures only in g10/import.c.
    - debian/patches/CVE-2019-13050-3.patch: add "self-sigs-only" and
      "import-clean" to the keyserver options in g10/gpg.c and
      doc/gpg.texi.
    - debian/patches/CVE-2019-13050-4.patch: fix regression by ensuring
      KEYID is available on a pending package in g10/import.c.
    - debian/patches/CVE-2019-13050-5.patch: prevent fallback from being
      used if the options are already used in g10/import.c.
    - CVE-2019-13050

 -- David Fernandez Gonzalez <email address hidden> Thu, 26 May 2022 12:24:46 +0200