GnuPG 2.2.8 has been released on June 8, fixing a critical security issue: https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html Mageia 5 and Mageia 6 are also affected. I'm not sure if gnupg is affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
CC: (none) => smelrorAssignee: bugsquad => pkg-bugs
gnupg is also affected. It's also probably about time we remove it from Cauldron. Debian has issued advisories for this on June 8: https://www.debian.org/security/2018/dsa-4224 https://www.debian.org/security/2018/dsa-4223 https://www.debian.org/security/2018/dsa-4222
Summary: gnupg2 new security issue CVE-2018-12020 => gnupg, gnupg2 new security issue CVE-2018-12020Source RPM: gnupg2-2.2.7-2.mga7.src.rpm => gnupg-1.4.22-2.mga7.src.rpm, gnupg2-2.2.7-2.mga7.src.rpm
gnupg2-2.2.8-1.mga7 uploaded for Cauldron by Stig-Ørjan.
Ubuntu has issued advisories for this on June 11 and today (June 15): https://usn.ubuntu.com/3675-1/ https://usn.ubuntu.com/3675-2/
Fedora has issued an advisory for gnupg today (June 15): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ECER26OJWTXJCGF7LEUAPMF4ZR6ZORMH/
gnupg 1.4.23 has been released on June 11. Upstream's website said it was to address CVE-2017-7526, but that was fixed in 1.4.22, so they might have meant this issue (someone will have to check). Jani updated to 1.4.23 in Cauldron.
CC: (none) => jani.valimaa
python-gnupg 0.4.3 has fixes to mitigate the effects of this there too: https://neopg.io/blog/gpg-signature-spoof/ http://openwall.com/lists/oss-security/2018/06/13/10
Summary: gnupg, gnupg2 new security issue CVE-2018-12020 => gnupg, gnupg2, python-gnupg new security issue CVE-2018-12020Source RPM: gnupg-1.4.22-2.mga7.src.rpm, gnupg2-2.2.7-2.mga7.src.rpm => gnupg-1.4.22-2.mga7.src.rpm, gnupg2-2.2.7-2.mga7.src.rpm, python-gnupg-0.4.0-1.mga7.src.rpm
Patched packages uploaded for Mageia 5 and Mageia 6 by Jani. Thanks! Advisory: ======================== Updated gnupg, gnupg2, and python-gnupg packages fix security vulnerability: Marcus Brinkmann discovered that during decryption or verification, GnuPG did not properly filter out terminal sequences when reporting the original filename. An attacker could use this to specially craft a file that would cause an application parsing GnuPG output to incorrectly interpret the status of the cryptographic operation reported by GnuPG (CVE-2018-12020). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020 https://neopg.io/blog/gpg-signature-spoof/ https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html http://openwall.com/lists/oss-security/2018/06/13/10 https://usn.ubuntu.com/3675-1/ ======================== Updated packages in core/updates_testing: ======================== gnupg-1.4.19-1.4.mga5 gnupg2-2.0.27-1.2.mga5 python-gnupg-0.3.6-4.1.mga5 python3-gnupg-0.3.6-4.1.mga5 gnupg-1.4.23-1.mga6 gnupg2-2.1.21-3.1.mga6 python-gnupg-0.3.8-2.1.mga6 python3-gnupg-0.3.8-2.1.mga6 from SRPMS: gnupg-1.4.19-1.4.mga5.src.rpm gnupg2-2.0.27-1.2.mga5.src.rpm python-gnupg-0.3.6-4.1.mga5.src.rpm gnupg-1.4.23-1.mga6.src.rpm gnupg2-2.1.21-3.1.mga6.src.rpm python-gnupg-0.3.8-2.1.mga6.src.rpm
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOVersion: Cauldron => 6Assignee: pkg-bugs => qa-bugs
Installed and tested without issues. Tests included: - using kleopatra. - unlocking kwallet. - kmail sign and verify email signatures. - kmail encrypt and decrypt emails. - Check file signatures using: find -ipath '*.asc' --exec gpg '{}' ';' find -ipath '*.sig' --exec gpg '{}' ';' - Decrypt existing encrypted files. - Encrypt, decrypt and then compare original to decrypted file. - Run: gpg --refresh-keys - Run: gpg --update-trustdb System: Mageia 6, x86_64, Plasma DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 4.14.44-desktop-2.mga6 #1 SMP Mon May 28 22:35:45 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep gnupg | sort gnupg-1.4.23-1.mga6 gnupg2-2.1.21-3.1.mga6
CC: (none) => mageiaWhiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
MGA5-32 on Dell Latitude D600 Xfce No installation issues. Threading unknown territory, so tried a few from Comment 8 No "kde" stuff on this machine Hmmmm, above find commands throw errors, but one dash less on 'exec' works OK. $ cd / $ find -ipath '*.asc' -exec gpg '{}' ';' gives loads of access denied of course but also pub 1024D/57548DCD 1998-07-07 Werner Koch (gnupg sig) <dd9jn@gnu.org> pub 1024D/5B0358A2 1999-03-15 Werner Koch <wk@gnupg.org> uid Werner Koch <wk@g10code.com> uid Werner Koch uid Werner Koch <werner@fsfe.org> sub 2048R/B604F148 2004-03-21 [vervaldatum: 2005-12-31] sub 2048R/C3680A6E 2006-01-01 [vervaldatum: 2007-12-31] and more of those $ find -ipath '*.sig' -exec gpg '{}' ';' returns nothing usefull # gpg --refresh-keys gpg: keyring `/root/.gnupg/secring.gpg' created gpg: keyring `/root/.gnupg/pubring.gpg' created # gpg --update-trustdb gpg: /root/.gnupg/trustdb.gpg: betrouwbaarheidsdatabank (trustdb) created gpg: geen uiterst betrouwbare sleutels gevonden : no thrustworthy keys found Sorry if the translations are not 100% correct Looks good to me as far as I understand this stuff.
CC: (none) => herman.viaeneWhiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-32-OK
openSUSE has issued an advisory for python-gnupg on June 16: https://lists.opensuse.org/opensuse-updates/2018-06/msg00102.html
Fedora also updated libgpg-error to 1.31 as part of this update, but I'm not sure whether or not that's strictly necessary: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AVLFADU5FRH4NHJXAFXEQELHAQ4L4BCQ/
Validating. Advisoried.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0292.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED