Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 510
Alerts This Week
Warning Icon 1 510

Ubuntu 19.04 Security Notice USN-3964-1: python-gnupg Remote Attack

ubuntu
Calendar Grey May 2, 2019
Dist Ubuntu Esm H88
=========================================================================Ubuntu Security Notice USN-
Several security issues were fixed in python-gnupg

Summary

Several security issues were fixed in python-gnupg

Software Description:

- python-gnupg: Python wrapper for the GNU Privacy Guard

Details:

Marcus Brinkmann discovered that GnuPG before 2.2.8 improperly handled certain

command line parameters. A remote attacker could use this to spoof the output of

GnuPG and cause unsigned e-mail to appear signed.

(CVE-2018-12020)

It was discovered that python-gnupg incorrectly handled the GPG passphrase. A

remote attacker could send a specially crafted passphrase that would allow them

to control the output of encryption and decryption operations.

(CVE-2019-6690)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 19.04:
  python-gnupg                    0.4.3-1ubuntu1.19.04.1
  python3-gnupg                   0.4.3-1ubuntu1.19.04.1

Ubuntu 18.10:
  python-gnupg                    0.4.1-1ubuntu1.18.10.1
  python3-gnupg                   0.4.1-1ubuntu1.18.10.1

Ubuntu 18.04 LTS:
  python-gnupg                    0.4.1-1ubuntu1.18.04.1
  python3-gnupg                   0.4.1-1ubuntu1.18.04.1

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-3964-1

CVE-2018-12020, CVE-2019-6690

Severity
critical
Lowest
Low
Medium
High
Critical

May 02, 2019

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.