-
gnupg (1.4.14-1ubuntu2.2) saucy-security; urgency=medium
* SECURITY UPDATE: denial of service via uncompressing garbled packets
- debian/patches/CVE-2014-4617.patch: limit number of extra bytes in
g10/compress.c.
- CVE-2014-4617
-- Marc Deslauriers <email address hidden> Thu, 26 Jun 2014 08:28:58 -0400
-
gnupg (1.4.14-1ubuntu2.1) saucy-security; urgency=low
* SECURITY UPDATE: RSA Key Extraction via Low-Bandwidth Acoustic
Cryptanalysis attack
- debian/patches/CVE-2013-4576.patch: Use blinding for the RSA secret
operation in cipher/random.*, cipher/rsa.c, g10/gpgv.c. Normalize the
MPIs used as input to secret key functions in cipher/dsa.c,
cipher/elgamal.c, cipher/rsa.c.
- CVE-2013-4576
-- Marc Deslauriers <email address hidden> Wed, 18 Dec 2013 11:08:33 -0500
-
gnupg (1.4.14-1ubuntu2) saucy; urgency=low
* SECURITY UPDATE: incorrect no-usage-permitted flag handling
- debian/patches/CVE-2013-4351.patch: correctly handle empty key flags
in g10/getkey.c, g10/keygen.c, include/cipher.h.
- CVE-2013-4351
* SECURITY UPDATE: denial of service via infinite recursion
- debian/patches/CVE-2013-4402.patch: set limits on number of filters
and nested packets in util/iobuf.c, g10/mainproc.c.
- CVE-2013-4402
-- Marc Deslauriers <email address hidden> Tue, 08 Oct 2013 07:40:27 -0400
-
gnupg (1.4.14-1ubuntu1) saucy; urgency=low
* Resynchronise with Debian. Remaining changes:
- Disable mlock() test since it fails with ulimit 0 (on buildds).
- Set gpg (or gpg2) and gpgsm to use a passphrase agent by default.
- Only suggest gnupg-curl and libldap; recommendations are pulled into
minimal, and we don't need the keyserver utilities in a minimal Ubuntu
system.
- Remove the Win32 build.
gnupg (1.4.14-1) unstable; urgency=low
* New upstream release (closes: #717845).
- Adds IDEA support. Update package description.
- Fixes security issue: side channel attack on RSA.
(CVE-2013-4242, closes: #717880).
- Fixes list-keys hanging at ctrl-C (closes: #399904).
* Add more smartcard reader udev rules, thanks Niibe Yutaka
(closes: #691392).
* Checked for policy 3.9.4, no changes.
-- Colin Watson <email address hidden> Fri, 02 Aug 2013 11:27:51 +0100
-
gnupg (1.4.12-7ubuntu1) raring; urgency=low
* Resynchronise with Debian. Remaining changes:
- Disable mlock() test since it fails with ulimit 0 (on buildds).
- Set gpg (or gpg2) and gpgsm to use a passphrase agent by default.
- Only suggest gnupg-curl and libldap; recommendations are pulled into
minimal, and we don't need the keyserver utilities in a minimal Ubuntu
system.
- Remove the Win32 build.
- Update config.guess/config.sub for aarch64.
gnupg (1.4.12-7) unstable; urgency=high
* Apply upstream patch to fix memory and key database corruption
when importing with invalid keys (CVE-2012-6085, closes: #697108).
-- Colin Watson <email address hidden> Tue, 08 Jan 2013 10:47:07 +0000
