Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 573
Alerts This Week
Warning Icon 1 573

Ubuntu 14.10 USN-2554-1 Moderate: GnuPG Denial Of Service Risk

ubuntu
Calendar Grey April 1, 2015
Dist Ubuntu Esm H88
A recent update for Ubuntu has resolved several security vulnerabilities in GnuPG, including problems related to key recovery and potential denial of service attacks.
Several security issues were fixed in GnuPG.

Summary

Several security issues were fixed in GnuPG.

Software Description:

- gnupg: GNU privacy guard - a free PGP replacement

- gnupg2: GNU privacy guard - a free PGP replacement

Details:

Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer discovered

that GnuPG was susceptible to an attack via physical side channels. A local

attacker could use this attack to possibly recover private keys.

(CVE-2014-3591)

Daniel Genkin, Adi Shamir, and Eran Tromer discovered that GnuPG was

susceptible to an attack via physical side channels. A local attacker could

use this attack to possibly recover private keys. (CVE-2015-0837)

Hanno Böck discovered that GnuPG incorrectly handled certain malformed

keyrings. If a user or automated system were tricked into opening a

malformed keyring, a remote attacker could use this issue to cause GnuPG to

crash, resulting in a denial of service, or possibly execute arbitrary

code. (CVE-2015-1606, CVE-2015-1607)

In addition, this upd...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.10:
  gnupg                           1.4.16-1.2ubuntu1.2
  gnupg2                          2.0.24-1ubuntu2.2

Ubuntu 14.04 LTS:
  gnupg                           1.4.16-1ubuntu2.3
  gnupg2                          2.0.22-3ubuntu1.3

Ubuntu 12.04 LTS:
  gnupg                           1.4.11-3ubuntu2.9
  gnupg2                          2.0.17-2ubuntu2.12.04.6

Ubuntu 10.04 LTS:
  gnupg                           1.4.10-2ubuntu1.8

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-2554-1

CVE-2014-3591, CVE-2014-5270, CVE-2015-0837, CVE-2015-1606,

CVE-2015-1607

Severity
important
Lowest
Low
Medium
High
Critical

April 01, 2015

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.