First Last Prev Next    This bug is not in your last search results.
Bug 37055 - gnupg: multiple issues (3.2)
gnupg: multiple issues (3.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.2
Other Linux
: P2 normal (vote)
: UCS 3.2-8-errata
Assigned To: Arvid Requate
Daniel Tröder
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-11-26 15:03 CET by Moritz Muehlenhoff
Modified: 2016-06-22 15:05 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Muehlenhoff univentionstaff 2014-11-26 15:03:05 CET 
Side channel attack of ElGamal subkeys (CVE-2014-5270)
Comment 1 Moritz Muehlenhoff univentionstaff 2014-11-26 15:03:21 CET 
The version in UCS 4.0 is already fixed.
Comment 2 Arvid Requate univentionstaff 2015-02-18 19:50:56 CET 
CVE-2015-1606: use after free when using non-standard keyring
CVE-2015-1607: memcpy with overlapping ranges when using non-standard keyring
Comment 3 Moritz Muehlenhoff univentionstaff 2015-03-03 06:43:51 CET 
Side-channel attack on El-Gamal keys (CVE-2014-3591)
Side-channel attack in the mpi_pow() function (CVE-2015-0837)
Denial of service through malformed keyrings (CVE-2015-1606, CVE-2015-1607)
Comment 4 Arvid Requate univentionstaff 2016-06-13 11:42:58 CEST 
Fixed in 1.4.10-4+squeeze7:

CVE-2013-4576 CVE-2014-3591 CVE-2015-0837 CVE-2015-1606 CVE-2014-5270 CVE-2014-4617

CVE-2015-1607 is classified "too intrusive to backport; minor issue"
Comment 5 Arvid Requate univentionstaff 2016-06-13 13:11:42 CEST 
Upstream package version imported and built with fixed buildsystem increment.
Advisory: gnupg.yaml
Comment 6 Daniel Tröder univentionstaff 2016-06-20 12:29:20 CEST 
OK: advisory
OK: manual functional test:

# gpg --gen-key

# cat /etc/fstab | gpg --detach-sign > fstab.sig
# gpg --verify fstab.sig /etc/fstab
→ gpg: Korrekte Unterschrift von "Test Univention <test@univention.de>"

# test "$(sha256sum /etc/fstab | cut -f 1 -d ' ')" = "$(cat /etc/fstab | gpg --encrypt --recipient test@univention.de | gpg --decrypt - | sha256sum | cut -f 1 -d ' ')" && echo OK
→ OK
Comment 7 Janek Walkenhorst univentionstaff 2016-06-22 15:05:30 CEST 
<http://errata.software-univention.de/ucs/3.2/437.html>
First Last Prev Next    This bug is not in your last search results.