A security issue fixed upstream in GnuPG has been announced today (June 30): https://www.openwall.com/lists/oss-security/2022/06/30/1 The commit that fixed the issue is referenced in the message above.
Status comment: (none) => Patch available from upstream
Note this is M8 only. Assuming this patch is for v2... because we have v3... in Cauldron. Assigning to Stig who has done all the latest version updates for this SRPM.
Assignee: bugsquad => smelror
The patch is in upstream master, so it'll be included in the next version update in Cauldron, so I'm not worried about that. It'll need to be backported for Mageia 8.
A CVE has been assigned: https://www.openwall.com/lists/oss-security/2022/07/02/1
Summary: gnupg2 new security issue fixed upstream => gnupg2 new security issue fixed upstream (CVE-2022-34903)
Debian has issued an advisory for this on July 3: https://www.debian.org/security/2022/dsa-5174
Ubuntu has issued an advisory for this on July 5: https://ubuntu.com/security/notices/USN-5503-1
Fedora has issued an advisory for this on July 7: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NPTAR76EIZY7NQFENSOZO7U473257OVZ/
Version 2.3.7 has been released today (July 11) with the fix: https://lists.gnupg.org/pipermail/gnupg-announce/2022q3/000474.html
Advisory ======== Gnupg2 has been updated to fix CVE-2022-34903. CVE-2022-34903: GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line. References ========== https://lists.gnupg.org/pipermail/gnupg-announce/2022q3/000474.html https://nvd.nist.gov/vuln/detail/CVE-2022-34903 Files ===== Uploaded to core/updates_testing gnupg2-2.2.36-1.mga8 from gnupg2-2.2.36-1.mga8.src.rpm
Assignee: smelror => qa-bugs
MGA8-64 Plasma on Acer Aspire 5253 No installation issues. New territory for me, so looked for info on previous bugs and on https://www.devdungeon.com/content/gpg-tutorial Created new pair in kleopatra, then run gpg2 --list-keys and $ gpg2 --list-secret-keys commands to display the key info: worked OK. Then used kleopatra to encrypt a text file, renamed the resulting .gpg file and decrypted this one (avoiding to overwrite the orginal .txt file) and that all worked OK. Judging from previous updates, this test should be good enough, so OK'ing, unless someone with more indepth knowledge ......
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 8.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0259.html
Status: NEW => RESOLVEDResolution: (none) => FIXED