Univention Bugzilla – Bug 47290
gnupg2: Multiple issues (4.3)
Last modified: 2018-07-04 14:54:03 CEST
New Debian gnupg2 2.1.18-8~deb9u2 fixes: This update addresses the following issue(s): * This update addresses the following issue(s): * CVE_2018-9234 is open * mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes. (CVE-2018-12020) 2.1.18-8~deb9u2 (Fri, 08 Jun 2018 20:12:24 +0200) * Non-maintainer upload by the Security Team. * gpg: Sanitize diagnostic with the original file name (CVE-2018-12020) * CVE-2018-12020 gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification (CVE-2018-12020)
[4.3-1] 45dd7ecae8 Bug #47290: gnupg2 2.1.18-8~deb9u2 doc/errata/staging/gnupg2.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) <http://10.200.17.11/4.3-1/#3397546647153217401>
<http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-1/job/ErrataValidation/233/console> OK: Jenkins <http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-1/job/AutotestJoin/lastCompletedBuild/testReport/>
<http://errata.software-univention.de/ucs/4.3/132.html>