- ----------------------------------------------------------------------- Debian LTS Advisory DLA-2862-1 [email protected] https://www.debian.org/lts/security/ Utkarsh Gupta December 29, 2021 https://wiki.debian.org/LTS - ----------------------------------------------------------------------- Package : python-gnupg Version : 0.3.9-1+deb9u1 CVE ID : CVE-2018-12020 CVE-2019-6690 A couple of vulnerabilites were found in python-gnupg, a Python wrapper for the GNU Privacy Guard. CVE-2018-12020 Marcus Brinkmann discovered that GnuPG before 2.2.8 improperly handled certain command line parameters. A remote attacker could use this to spoof the output of GnuPG and cause unsigned e-mail to appear signed. CVE-2019-6690 It was discovered that python-gnupg incorrectly handled the GPG passphrase. A remote attacker could send a specially crafted passphrase that would allow them to control the output of encryption and decryption operations. For Debian 9 stretch, these problems have been fixed in version 0.3.9-1+deb9u1. We recommend that you upgrade your python-gnupg packages. For the detailed security status of python-gnupg please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-gnupg Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS