Bug 37055
| Summary: | gnupg: multiple issues (3.2) | ||
|---|---|---|---|
| Product: | UCS | Reporter: | Moritz Muehlenhoff <jmm> |
| Component: | Security updates | Assignee: | Arvid Requate <requate> |
| Status: | CLOSED FIXED | QA Contact: | Daniel Tröder <troeder> |
| Severity: | normal | ||
| Priority: | P2 | CC: | gohmann, requate |
| Version: | UCS 3.2 | ||
| Target Milestone: | UCS 3.2-8-errata | ||
| Hardware: | Other | ||
| OS: | Linux | ||
| What kind of report is it?: | --- | What type of bug is this?: | --- |
| Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
| User Pain: | Enterprise Customer affected?: | ||
| School Customer affected?: | ISV affected?: | ||
| Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
| Ticket number: | Bug group (optional): | ||
| Max CVSS v3 score: | |||
|
Description
Moritz Muehlenhoff
The version in UCS 4.0 is already fixed. CVE-2015-1606: use after free when using non-standard keyring CVE-2015-1607: memcpy with overlapping ranges when using non-standard keyring Side-channel attack on El-Gamal keys (CVE-2014-3591) Side-channel attack in the mpi_pow() function (CVE-2015-0837) Denial of service through malformed keyrings (CVE-2015-1606, CVE-2015-1607) Fixed in 1.4.10-4+squeeze7: CVE-2013-4576 CVE-2014-3591 CVE-2015-0837 CVE-2015-1606 CVE-2014-5270 CVE-2014-4617 CVE-2015-1607 is classified "too intrusive to backport; minor issue" Upstream package version imported and built with fixed buildsystem increment. Advisory: gnupg.yaml OK: advisory OK: manual functional test: # gpg --gen-key # cat /etc/fstab | gpg --detach-sign > fstab.sig # gpg --verify fstab.sig /etc/fstab → gpg: Korrekte Unterschrift von "Test Univention <test@univention.de>" # test "$(sha256sum /etc/fstab | cut -f 1 -d ' ')" = "$(cat /etc/fstab | gpg --encrypt --recipient test@univention.de | gpg --decrypt - | sha256sum | cut -f 1 -d ' ')" && echo OK → OK |