Univention Bugzilla – Full Text Bug Listing |
Summary: | gnupg: multiple issues (3.2) | ||
---|---|---|---|
Product: | UCS | Reporter: | Moritz Muehlenhoff <jmm> |
Component: | Security updates | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Daniel Tröder <troeder> |
Severity: | normal | ||
Priority: | P2 | CC: | gohmann, requate |
Version: | UCS 3.2 | ||
Target Milestone: | UCS 3.2-8-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: |
Description
Moritz Muehlenhoff
2014-11-26 15:03:05 CET
The version in UCS 4.0 is already fixed. CVE-2015-1606: use after free when using non-standard keyring CVE-2015-1607: memcpy with overlapping ranges when using non-standard keyring Side-channel attack on El-Gamal keys (CVE-2014-3591) Side-channel attack in the mpi_pow() function (CVE-2015-0837) Denial of service through malformed keyrings (CVE-2015-1606, CVE-2015-1607) Fixed in 1.4.10-4+squeeze7: CVE-2013-4576 CVE-2014-3591 CVE-2015-0837 CVE-2015-1606 CVE-2014-5270 CVE-2014-4617 CVE-2015-1607 is classified "too intrusive to backport; minor issue" Upstream package version imported and built with fixed buildsystem increment. Advisory: gnupg.yaml OK: advisory OK: manual functional test: # gpg --gen-key # cat /etc/fstab | gpg --detach-sign > fstab.sig # gpg --verify fstab.sig /etc/fstab → gpg: Korrekte Unterschrift von "Test Univention <test@univention.de>" # test "$(sha256sum /etc/fstab | cut -f 1 -d ' ')" = "$(cat /etc/fstab | gpg --encrypt --recipient test@univention.de | gpg --decrypt - | sha256sum | cut -f 1 -d ' ')" && echo OK → OK |