Univention Bugzilla – Bug 37055
gnupg: multiple issues (3.2)
Last modified: 2016-06-22 15:05:30 CEST
Side channel attack of ElGamal subkeys (CVE-2014-5270)
The version in UCS 4.0 is already fixed.
CVE-2015-1606: use after free when using non-standard keyring CVE-2015-1607: memcpy with overlapping ranges when using non-standard keyring
Side-channel attack on El-Gamal keys (CVE-2014-3591) Side-channel attack in the mpi_pow() function (CVE-2015-0837) Denial of service through malformed keyrings (CVE-2015-1606, CVE-2015-1607)
Fixed in 1.4.10-4+squeeze7: CVE-2013-4576 CVE-2014-3591 CVE-2015-0837 CVE-2015-1606 CVE-2014-5270 CVE-2014-4617 CVE-2015-1607 is classified "too intrusive to backport; minor issue"
Upstream package version imported and built with fixed buildsystem increment. Advisory: gnupg.yaml
OK: advisory OK: manual functional test: # gpg --gen-key # cat /etc/fstab | gpg --detach-sign > fstab.sig # gpg --verify fstab.sig /etc/fstab → gpg: Korrekte Unterschrift von "Test Univention <test@univention.de>" # test "$(sha256sum /etc/fstab | cut -f 1 -d ' ')" = "$(cat /etc/fstab | gpg --encrypt --recipient test@univention.de | gpg --decrypt - | sha256sum | cut -f 1 -d ' ')" && echo OK → OK
<http://errata.software-univention.de/ucs/3.2/437.html>