Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 531
Alerts This Week
Warning Icon 1 531

Ubuntu 18.04 LTS: USN-3675-1 Critical: GnuPG Decryption Issue

ubuntu
Calendar Grey June 11, 2018
Scroller Ubuntu Esm H88
Tackling GnuPG security flaws in Ubuntu through patches and upgrades for improved protection. Keep your online presence secure!
Several security issues were fixed in GnuPG.

Summary

Several security issues were fixed in GnuPG.

Software Description:

- gnupg2: GNU privacy guard - a free PGP replacement

- gnupg: GNU privacy guard - a free PGP replacement

Details:

Marcus Brinkmann discovered that during decryption or verification,

GnuPG did not properly filter out terminal sequences when reporting the

original filename. An attacker could use this to specially craft a file

that would cause an application parsing GnuPG output to incorrectly

interpret the status of the cryptographic operation reported by GnuPG.

(CVE-2018-12020)

Lance Vick discovered that GnuPG did not enforce configurations where

key certification required an offline master Certify key. An attacker

with access to a signing subkey could generate certifications that

appeared to be valid. This issue only affected Ubuntu 18.04 LTS.

(CVE-2018-9234)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
  gnupg                           2.2.4-1ubuntu1.1
  gpg                             2.2.4-1ubuntu1.1

Ubuntu 17.10:
  gnupg                           2.1.15-1ubuntu8.1

Ubuntu 16.04 LTS:
  gnupg                           1.4.20-1ubuntu3.2

Ubuntu 14.04 LTS:
  gnupg                           1.4.16-1ubuntu2.5

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-3675-1

CVE-2018-12020, CVE-2018-9234

Severity
critical
Lowest
Low
Medium
High
Critical

June 11, 2018

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.