The fuzzing project found some bugs in GnuPG and GnuPG2:
The two NULL dereference issues were not assigned CVEs, the other two issues were:
RedHat has said they don't plan to backport fixes for these to RHEL, and Debian has classified them as minor, no-DSA issues, even though one got mentioned in a DSA on March 12 for gnupg:
These sound to be extremely low-severity issues. I've checked in backported patches for all four issues in Mageia 4 SVN for gnupg and gnupg2. They will be included in the next update, whenever that is.
The fixes are already in Cauldron, as it has the latest versions of gnupg and gnupg2.
Steps to Reproduce:
LWN reference for CVE-2015-1607:
Ubuntu has issued an advisory for this today (April 1):
You should submit them to 4/updates testing then, as nobody is listed as maintainer.
No, these ones don't need their own build. As I already said, these fixes are in SVN and will be included in the *next* update, whenever there's a more important issue to fix.
Submitting this update now to get it in before Mageia 4 EOL.
Updated gnupg and gnupg2 packages fix security vulnerabilities:
Hanno BÃ¶ck discovered that GnuPG incorrectly handled certain malformed
keyrings. If a user or automated system were tricked into opening a
malformed keyring, a remote attacker could use this issue to cause GnuPG to
crash, resulting in a denial of service, or possibly execute arbitrary
code (CVE-2015-1606, CVE-2015-1607).
Updated packages in core/updates_testing:
Testing complete Mageia 4 i586 using the procedure.
Validating. Advisory uploaded.
Please push to 4 updates
has_procedure MGA4-32-OK =>
has_procedure advisory MGA4-32-OKCC:
An update for this issue has been pushed to Mageia Updates repository.