Fedora 38: FEDORA-2023-91870fbc5c Critical: GnuPG Insecure Handling Issue

GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and

creating digital signatures. GnuPG has advanced key management

capabilities and is compliant with the proposed OpenPGP Internet

standard described in RFC2440. Since GnuPG doesn't use any patented

algorithm, it is not compatible with any version of PGP2 (PGP2.x uses

only IDEA for symmetric-key encryption, which is patented worldwide).

- New upstream v1.4.23 (#1589802,#1589620,#1589624) - Remove patches included in

upstream release - Note that this includes the fix for [CVE-2018-12020] ----- doc Remove documentation for future option faked sys - build Don't use dev

srandom on OpenBSD - Do not use C99 feature - g10 Fix regexp sanitization - g10

Push compress filter only if compressed - gpg Sanitize diagnostic with the

original file name [CVE-2018-12020]

* Fri Jun 15 2018 Brian C. Lane - 1.4.23-1

- New upstream v1.4.23 (#1589802,#1589620,#1589624)

- Remove patches included in upstream release

- Note that this includes the fix for [CVE-2018-12020]

* Fri Jun 8 2018 Brian C. Lane - 1.4.22-4

- doc Remove documentation for future option faked sys

- build Don't use dev srandom on OpenBSD

- Do not use C99 feature

- g10 Fix regexp sanitization

- g10 Push compress filter only if compressed

- gpg Sanitize diagnostic with the original file name [CVE-2018-12020]

[ 1 ] Bug #1589624 - CVE-2018-12020 gnupg: gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1589624

[ 2 ] Bug #1589802 - gnupg-1.4.23 is available

https://bugzilla.redhat.com/show_bug.cgi?id=1589802

su -c 'dnf upgrade --advisory FEDORA-2018-69780fc4d7' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QC7Y72LI3TU6QVG6T2YZRHTXTP4TGTA2/