gnupg2 2.2.17 is maintenance release to mitigate the effects of the denial-of-service attacks on the keyserver network.
Advisory ======== Ignore all key-signatures received from keyservers. This change is required to mitigate a DoS due to keys flooded with faked key-signatures. The old behaviour can be achieved by adding keyserver-options no-self-sigs-only,no-import-clean to your gpg.conf References ========== https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html Files ===== Uploaded to core/updates_testing gnupg2-2.2.17-1.mga7 from gnupg2-2.2.17-1.mga7.src.rpm
Assignee: smelror => qa-bugs
CC: (none) => nathan95Whiteboard: (none) => MGA7-64-OK
I did not notice any new problem after this update, tested on acer aspire for a few days
(In reply to nathan giovannini from comment #2) > I did not notice any new problem after this update, tested on acer aspire > for a few days Please explain what to test except command # gpg! Does this change affect any programm like Kleopatra (uses gpg-agent)? @ Stig is the fix complete, or are other programs or packages needed? Ulrich
CC: (none) => bequimao.de
(In reply to Ulrich Beckmann from comment #3) > (In reply to nathan giovannini from comment #2) > > I did not notice any new problem after this update, tested on acer aspire > > for a few days > > Please explain what to test except command # gpg! > Does this change affect any programm like Kleopatra (uses gpg-agent)? > > @ Stig > is the fix complete, or are other programs or packages needed? > > Ulrich This is the only package that is updated and produced unless you want to go into debuginfo and debugsource. Cheers, Stig
Installed Packages gnupg2.x86_64 2.2.17-1.mga7 @updates_testing-x86_64 Kleopatra: selftest ok. CLI test of $ gpg2 Listed 2 keys Changed expiration date of secret key Added encyption subkey Deleted expired encryption subkey Saved all changes Kleopatra shows all changes then, but export of secret keys failed twice with changed and unchanged key. Error message was about "ambiguous keys" (in German). Exported then the modified key by $ gpg2 --export-secret-key <fingerprint> Deleted then the modified key in Kleopatra and re-imported the same key, ok. I don't know if the export error in Kleopatra is new, so I would say no regression found. The export worked finally with CLI. Kmail: sent signed and encrypted mail, ok. # dnf upgrade - upgraded several packages since upgrade of gnupg2, ok. Ulrich
Source RPM: (none) => gnupg2-2.2.17-1.mga7.src.rpm
Installierte Pakete gnupg2.x86_64 2.2.15-1.mga7 @mageia-x86_64 Downgraded gnupg2 in another instance. The export error in Kleopatra is shown there, too. I will list a separate bug report. Thus no regression found. The test my be validated. See advisory https://bugs.mageia.org/show_bug.cgi?id=25126#c1 Ulrich
Validating. Suggested advisory in Comment 1.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2019-0080.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
This fixed CVE-2019-13050: https://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html
Summary: Update Candidate: gnupg2 2.2.17 => Update Candidate: gnupg2 2.2.17 (fixes CVE-2019-13050)