Fedora has issued an advisory on April 18: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SNPUPDFKIAJXYPGT2FDGWGY6BMEYSUWM/ The issue was fixed upstream in 2.2.6. Mageia 5 is also affected. It sounds like a fairly minor issue that we could just patch in SVN for now.
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing some committers
Assignee: bugsquad => pkg-bugsCC: (none) => geiger.david68210, marja11, ngompa13, smelror
The RedHat bug has a link to the upstream patch to fix it: https://bugzilla.redhat.com/show_bug.cgi?id=1563930
Status comment: (none) => Patch available from upstream
Sorry, for Mga6, I thought I was incrementing the sub release number and, in fact, it was the release one. So the new package is not gnupg2-2.1.21-2.1.mga6 but gnupg2-2.1.21-3.mga6. Suggested advisory: ======================== The updated package fixes a security vulnerability: GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey. (CVE-2018-9234) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9234 ======================== Updated package in 5/core/updates_testing: ======================== gnupg2-2.0.27-1.1.mga5 from SRPMS: gnupg2-2.0.27-1.1.mga5.src.rpm Updated package in 6/core/updates_testing: ======================== gnupg2-2.1.21-3.mga6 from SRPMS: gnupg2-2.1.21-3.mga6.src.rpm
Status: NEW => ASSIGNEDCC: (none) => nicolas.salgueroWhiteboard: (none) => MGA5TOOAssignee: pkg-bugs => qa-bugs
MGA5-32 on Dell Latitude D600 Xfce No installation issues. Ref to bug 11306 Comment 3 for tests: gpg2 --gen-key accept all defaults and user tester5 $ gpg2 --list-keys /home/tester5/.gnupg/pubring.gpg -------------------------------- and listing the keys $ echo "test test test" > testgpg2.txt $ ls testgpg2.txt $ gpg2 -e -r tester5 testgpg2.txt $ ls testgpg2.txt testgpg2.txt.gpg $ rm testgpg2.txt rm: normaal bestand ‘testgpg2.txt’ verwijderen? j $ ls testgpg2.txt.gpg $ gpg2 testgpg2.txt.gpg entering passphrase $ ls testgpg2.txt testgpg2.txt.gpg $ more testgpg2.txt test test test $ gpg2 --delete-secret-keys tester5 answering j to questions $ gpg2 --delete-key tester5 answering j to questions $ gpg2 --list-keys | grep tester5 gpg: de betrouwbaarheidsdatabank (trustdb) wordt gecontroleerd gpg: geen uiterst betrouwbare sleutels gevonden : no keys found Seems good enough to me.
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OKCC: (none) => herman.viaene
Testing M6/64 I already had gnupg2-2.1.21-2 installed; update to gnupg2-2.1.21-3.mga6 went OK. Thanks to both Claire & Herman for setting this up. I made a complication in ending up with a USER-ID of "lewis smith <***@***.fr>" rather than a single word; avoid that! Created a new key. $ gpg2 --gen-key Listed the key to verify it's there. $ gpg2 --list-keys gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2020-05-23 /home/lewis/.gnupg/pubring.gpg ------------------------------ pub rsa2048 2018-05-24 [SC] [expires: 2020-05-23] C94A3C3F5A774DFE6ADE50125C2508F4EC80B039 uid [ultimate] lewis smith <lewyssmith@free.fr> sub rsa2048 2018-05-24 [E] [expires: 2020-05-23] Create a test file to encrypt. $ echo "test test test" > test.txt $ ls -l test* -rw-rw-r-- 1 lewis lewis 15 Mai 24 16:56 testgpg2.txt Encrypt it: $ gpg2 -e -r "lewis smith <***@***.fr>" testgpg2.txt $ ls -l test* -rw-rw-r-- 1 lewis lewis 15 Mai 24 16:56 testgpg2.txt -rw-rw-r-- 1 lewis lewis 349 Mai 24 16:58 testgpg2.txt.gpg Remove the original: $ rm test.txt $ ls -l test* -rw-rw-r-- 1 lewis lewis 349 Mai 24 16:58 testgpg2.txt.gpg Decrypt it back: $ gpg2 testgpg2.txt.gpg [enter passphrase] gpg: WARNING: no command supplied. Trying to guess what you mean ... gpg: WARNING: server 'gpg-agent' is older than us (2.1.21-2.mga6 < 2.1.21-3.mga6) gpg: encrypted with 2048-bit RSA key, ID 978C99D6596C4F25, created 2018-05-24 "lewis smith <***@***.fr>" $ ls -l test* -rw-rw-r-- 1 lewis lewis 15 Mai 24 17:01 testgpg2.txt -rw-rw-r-- 1 lewis lewis 349 Mai 24 16:58 testgpg2.txt.gpg $ cat testgpg2.txt test test test Delete the key: $ gpg2 --delete-secret-keys "lewis smith <***@***.fr>" gpg: WARNING: server 'gpg-agent' is older than us (2.1.21-2.mga6 < 2.1.21-3.mga6) [2 console + 2 dialogue confirmations] $ gpg2 --delete-key "lewis smith <***@***.fr>" gpg: WARNING: server 'gpg-agent' is older than us (2.1.21-2.mga6 < 2.1.21-3.mga6) Delete this key from the keyring? (y/N) y Check it had gone: $ gpg2 --list-keys $ [I could not get grep the O/P to work because of weird USER-ID]. Update looks good.
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0254.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED