-
gnupg (1.4.10-2ubuntu1.8) lucid-security; urgency=medium
* SECURITY UPDATE: sidechannel attack on Elgamal
- debian/patches/CVE-2014-3591.dpatch: use ciphertext blinding in
cipher/elgamal.c.
- CVE-2014-3591
* SECURITY UPDATE: sidechannel attack via timing variations in mpi_powm
- debian/patches/CVE-2015-0837.dpatch: avoid timing variations in
include/mpi.h, mpi/mpi-pow.c, mpi/mpiutil.c.
- CVE-2015-0837
* SECURITY UPDATE: invalid memory read via invalid keyring
- debian/patches/CVE-2015-1606.dpatch: skip all packets not allowed in
a keyring in g10/keyring.c.
- CVE-2015-1606
* SECURITY UPDATE: memcpy with overlapping ranges
- debian/patches/CVE-2015-1607.dpatch: use inline functions to convert
buffer data to scalars in g10/apdu.c, g10/app-openpgp.c,
g10/build-packet.c, g10/ccid-driver.c, g10/getkey.c, g10/keygen.c,
g10/keyid.c, g10/misc.c, g10/parse-packet.c, g10/tdbio.c,
g10/trustdb.c, include/host2net.h.
- CVE-2015-1607
-- Marc Deslauriers <email address hidden> Wed, 25 Mar 2015 14:34:25 -0400
-
gnupg (1.4.10-2ubuntu1.7) lucid-security; urgency=medium
* SECURITY UPDATE: side-channel attack on Elgamal encryption subkeys
- debian/patches/CVE-2014-5270.dpatch: use sliding window method for
exponentiation algorithm in mpi/mpi-pow.c.
- CVE-2014-5270
-- Marc Deslauriers <email address hidden> Tue, 19 Aug 2014 09:44:38 -0400
-
gnupg (1.4.10-2ubuntu1.6) lucid-security; urgency=medium
* SECURITY UPDATE: denial of service via uncompressing garbled packets
- debian/patches/CVE-2014-4617.dpatch: limit number of extra bytes in
g10/compress.c.
- CVE-2014-4617
-- Marc Deslauriers <email address hidden> Thu, 26 Jun 2014 08:32:12 -0400
-
gnupg (1.4.10-2ubuntu1.5) lucid-security; urgency=low
* SECURITY UPDATE: RSA Key Extraction via Low-Bandwidth Acoustic
Cryptanalysis attack
- debian/patches/CVE-2013-4576.dpatch: Use blinding for the RSA secret
operation in cipher/random.*, cipher/rsa.c, g10/gpgv.c. Normalize the
MPIs used as input to secret key functions in cipher/dsa.c,
cipher/elgamal.c, cipher/rsa.c.
- CVE-2013-4576
-- Marc Deslauriers <email address hidden> Wed, 18 Dec 2013 11:18:09 -0500
-
gnupg (1.4.10-2ubuntu1.4) lucid-security; urgency=low
* SECURITY UPDATE: incorrect no-usage-permitted flag handling
- debian/patches/CVE-2013-4351.dpatch: correctly handle empty key flags
in g10/getkey.c, g10/keygen.c, include/cipher.h.
- CVE-2013-4351
* SECURITY UPDATE: denial of service via infinite recursion
- debian/patches/CVE-2013-4402.dpatch: set limits on number of filters
and nested packets in util/iobuf.c, g10/mainproc.c.
- CVE-2013-4402
-- Marc Deslauriers <email address hidden> Tue, 08 Oct 2013 07:51:47 -0400
-
gnupg (1.4.10-2ubuntu1.3) lucid-security; urgency=low
* SECURITY UPDATE: The path of execution in an exponentiation function may
depend upon secret key data, allowing a local attacker to determine the
contents of the secret key through a side-channel attack.
- debian/patches/CVE-2013-4242.dpatch: always perform the mpi_mul for
exponents in secure memory. Based on upstream patch.
- CVE-2013-4242
-- Seth Arnold <email address hidden> Tue, 30 Jul 2013 15:56:45 -0700
-
gnupg (1.4.10-2ubuntu1.2) lucid-security; urgency=low
* SECURITY UPDATE: keyring corruption via malformed key import
- debian/patches/CVE-2012-6085.dpatch: validate PKTTYPE in g10/import.c.
- CVE-2012-6085
-- Marc Deslauriers <email address hidden> Tue, 08 Jan 2013 10:55:50 -0500
-
gnupg (1.4.10-2ubuntu1.1) lucid-security; urgency=low
* debian/patches/long-keyids.dpatch: Use the longest key ID available
when requesting a key from a key server.
-- Marc Deslauriers <email address hidden> Tue, 14 Aug 2012 08:41:19 -0400
-
gnupg (1.4.10-2ubuntu1) lucid; urgency=low
* Merge from Debian testing (lp: #503064, #477818). Remaining changes:
- Add 'debian/patches/50_disable_mlock_test.dpatch': Disable mlock() test
since it fails with ulimit 0 (on buildds).
- Add 'debian/patches/61_use_agent_default.dpatch': Patch to set gpg
(or gpg2) and gpgsm to use a passphrase agent by default (lp: 15485)
- Fix udeb build failure on powerpc, building with -O2 instead of -Os.
-- Michael Bienia <email address hidden> Mon, 04 Jan 2010 20:06:01 +0100
-
gnupg (1.4.9-4ubuntu7) karmic; urgency=low
* Fix udeb build failure on powerpc, building with -O2 instead of -Os.
-- Matthias Klose <email address hidden> Sun, 27 Sep 2009 13:49:46 +0200
