Ubuntu has issued an advisory on January 10: https://usn.ubuntu.com/3853-1/ The issue was fixed upstream in 2.2.12: https://github.com/gpg/gnupg/commit/4a4bb874f63741026bd26264c43bb32b1099f060
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing some committers (even if one or two only committed to the cauldron package).
Assignee: bugsquad => pkg-bugsCC: (none) => eatdirt, geiger.david68210, marja11, ngompa13, nicolas.salguero, smelror
Suggested advisory: ======================== The updated package fixes a security vulnerability: GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must perform a WKD request, e.g. enter an email address in the composer window of Thunderbird/Enigmail. This vulnerability appears to have been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060. (CVE-2018-1000858) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000858 https://usn.ubuntu.com/3853-1/ https://lists.opensuse.org/opensuse-security-announce/2019-01/msg00009.html ======================== Updated package in core/updates_testing: ======================== gnupg2-2.1.21-3.2.mga6 from SRPMS: gnupg2-2.1.21-3.2.mga6.src.rpm
CVE: (none) => CVE-2018-1000858Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugs
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Ref to bug22940 Comment4 for tests $ gpg2 --gen-key gpg (GnuPG) 2.1.21-3.2.mga6; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: starting migration from earlier GnuPG versions gpg: WARNING: server 'gpg-agent' is older than us (2.1.21-3.1.mga6 < 2.1.21-3.2.mga6) gpg: porting secret keys from '/home/tester6/.gnupg/secring.gpg' to gpg-agent and mentioning previously generated key further proceeding to generate a new key for user tester6 $ gpg2 --list-keys gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2021-03-08 and then further displaying two keys $ echo "test test test" > testgpg2.txt $ ls testgp* testgpg2.txt $ gpg2 -e -r tester6 testgpg2.txt $ ls testgp* testgpg2.txt testgpg2.txt.gpg $ rm testgpg2.txt rm: normaal bestand 'testgpg2.txt' verwijderen? j $ ls testgp* testgpg2.txt.gpg $ gpg2 testgpg2.txt.gpg gpg: WARNING: no command supplied. Trying to guess what you mean ... gpg: WARNING: server 'gpg-agent' is older than us (2.1.21-3.1.mga6 < 2.1.21-3.2.mga6) gpg: encrypted with 2048-bit RSA key, ....<details of the key> $ ls testgp* testgpg2.txt testgpg2.txt.gpg [tester6@mach6 Documenten (BARE:master)]$ more testgpg2.txt test test test [tester6@mach6 Documenten (BARE:master)]$ gpg2 --delete-secret-keys tester6 gpg (GnuPG) 2.1.21-3.2.mga6; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: WARNING: server 'gpg-agent' is older than us (2.1.21-3.1.mga6 < 2.1.21-3.2.mga6) sec <details of the key> Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y and answering yes on pop-up windows $ gpg2 --delete-key tester6 gpg (GnuPG) 2.1.21-3.2.mga6; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: WARNING: server 'gpg-agent' is older than us (2.1.21-3.1.mga6 < 2.1.21-3.2.mga6) pub <details of the key> Delete this key from the keyring? (y/N) y $ gpg2 --list-keys | grep tester6 gpg: checking the trustdb gpg: no ultimately trusted keys found /home/tester6/.gnupg/pubring.kbx Notice that while this laptop is installed in Dutch - see rm command above - all the gpg dialogues are in English. This and the items on the older version of gpg-agent are not a reason for me personally to block this update, but I wonder whether this is expected behavior.
CC: (none) => herman.viaene
Installed and tested without issues. Tests included: - CLI list public/private keys; - CLI generate public/private key pair; - CLI sign key; - CLI encrypt/decrypt file; - CLI sign/verify file; - CLI detached sign/verify file; - kgpg usage; - kleopatra usage; - kmail sign/verify and encrypt/decrypt emails; System: Mageia 6, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 4.14.104-desktop-2.mga6 #1 SMP Wed Feb 27 17:08:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q gnupg2 gnupg2-2.1.21-3.2.mga6
CC: (none) => mageia
Several days without activity and two OKs (comment 3 for 32 bits and comment 4 for 64 bits) so I'll mark it as OK and move it along. Feel free to undo the OKs if you think its needed.
Whiteboard: (none) => MGA6-32-OK MGA6-64-OK
Keywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0108.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED