| Summary: | gnupg2 new security issue fixed upstream (CVE-2022-34903) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | gnupg2-2.2.27-1.mga8.src.rpm | CVE: | |
| Status comment: | Patch available from upstream | ||
|
Description
David Walser
2022-06-30 19:41:35 CEST
David Walser
2022-06-30 19:41:43 CEST
Status comment:
(none) =>
Patch available from upstream Note this is M8 only. Assuming this patch is for v2... because we have v3... in Cauldron. Assigning to Stig who has done all the latest version updates for this SRPM. Assignee:
bugsquad =>
smelror The patch is in upstream master, so it'll be included in the next version update in Cauldron, so I'm not worried about that. It'll need to be backported for Mageia 8. A CVE has been assigned: https://www.openwall.com/lists/oss-security/2022/07/02/1 Summary:
gnupg2 new security issue fixed upstream =>
gnupg2 new security issue fixed upstream (CVE-2022-34903) Debian has issued an advisory for this on July 3: https://www.debian.org/security/2022/dsa-5174 Ubuntu has issued an advisory for this on July 5: https://ubuntu.com/security/notices/USN-5503-1 Fedora has issued an advisory for this on July 7: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NPTAR76EIZY7NQFENSOZO7U473257OVZ/ Version 2.3.7 has been released today (July 11) with the fix: https://lists.gnupg.org/pipermail/gnupg-announce/2022q3/000474.html Advisory ======== Gnupg2 has been updated to fix CVE-2022-34903. CVE-2022-34903: GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line. References ========== https://lists.gnupg.org/pipermail/gnupg-announce/2022q3/000474.html https://nvd.nist.gov/vuln/detail/CVE-2022-34903 Files ===== Uploaded to core/updates_testing gnupg2-2.2.36-1.mga8 from gnupg2-2.2.36-1.mga8.src.rpm Assignee:
smelror =>
qa-bugs MGA8-64 Plasma on Acer Aspire 5253 No installation issues. New territory for me, so looked for info on previous bugs and on https://www.devdungeon.com/content/gpg-tutorial Created new pair in kleopatra, then run gpg2 --list-keys and $ gpg2 --list-secret-keys commands to display the key info: worked OK. Then used kleopatra to encrypt a text file, renamed the resulting .gpg file and decrypted this one (avoiding to overwrite the orginal .txt file) and that all worked OK. Judging from previous updates, this test should be good enough, so OK'ing, unless someone with more indepth knowledge ...... Whiteboard:
(none) =>
MGA8-64-OK Validating. Advisory in Comment 8. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2022-07-13 19:10:29 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0259.html Status:
NEW =>
RESOLVED |