GnuPG 2.2.18 has been released on November 25: https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html Changes include the following: * gpg: Prepare against chosen-prefix SHA-1 collisions in key signatures. This change removes all SHA-1 based key signature newer than 2019-01-19 from the web-of-trust. Note that this includes all key signature created with dsa1024 keys. The new option --allow-weak-key-signatues can be used to override the new and safer behaviour. [#4755,CVE-2019-14855]
Advisory ======== GnuPG has been updated to fix a security issue (CVE-2019-14855). Changes include the following: * gpg: Prepare against chosen-prefix SHA-1 collisions in key signatures. This change removes all SHA-1 based key signature newer than 2019-01-19 from the web-of-trust. Note that this includes all key signature created with dsa1024 keys. The new option --allow-weak-key-signatues can be used to override the new and safer behaviour. References ========== https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html Files ===== Uploaded to core/updates_testing gnupg2-2.2.18-1.mga7 from gnupg2-2.2.18-1.mga7.src.rpm
Assignee: smelror => qa-bugsCVE: (none) => CVE-2019-14855
Tested with enigmail on thunderbird, all ok.
CC: (none) => lists.jjorge
Whiteboard: (none) => MGA7-32-OK
Installed and tested without issue. Tested using kleopatra, kmail and gpg cli. Tested sign, verify, encrypt, decrypt, search key, refresh keys, import, export, list keys. $ uname -a Linux marte 5.3.13-desktop-2.mga7 #1 SMP Mon Nov 25 20:30:40 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q gnupg2 gnupg2-2.2.18-1.mga7
Whiteboard: MGA7-32-OK => MGA7-32-OK MGA7-64-OKCC: (none) => mageia
Validating. Advisory in Comment 1.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0348.html
Status: NEW => RESOLVEDResolution: (none) => FIXED