Univention Bugzilla – Bug 47291
gnupg1: Multiple issues (4.3)
Last modified: 2018-07-04 14:54:05 CEST
New Debian gnupg1 1.4.21-4+deb9u1 fixes: This update addresses the following issue(s): * This update addresses the following issue(s): * CVE_2017-7526 is open CVE_2018-6829 is open * mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes. (CVE-2018-12020) 1.4.21-4+deb9u1 (Fri, 08 Jun 2018 22:19:01 +0200) * Non-maintainer upload by the Security Team. * gpg: Sanitize diagnostic with the original file name (CVE-2018-12020) * CVE-2018-12020 gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification (CVE-2018-12020)
[4.3-1] 301325f9ae Bug #47291: gnupg1 1.4.21-4+deb9u1 doc/errata/staging/gnupg1.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) <http://10.200.17.11/4.3-1/#1229967953767990246>
<http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-1/job/ErrataValidation/233/console> OK: Jenkins <http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-1/job/AutotestJoin/lastCompletedBuild/testReport/>
<http://errata.software-univention.de/ucs/4.3/131.html>