Debian 10222 Published by

A gnupg2 security update has been released for Debian GNU/Linux 8 and 9 Extended LTS to address signature spoofing via arbitrary injection into the status line.



ELA-636-1 gnupg2 security update

Package gnupg2
Version 2.0.26-6+deb8u3 (jessie), 2.1.18-8~deb9u5 (stretch)
Related CVEs CVE-2018-9234 CVE-2022-34903
CVE-2022-34903

Demi Marie Obenour discovered a flaw in GnuPG, allowing for signature
spoofing via arbitrary injection into the status line. An attacker who
controls the secret part of any signing-capable key or subkey in the
victim's keyring, can take advantage of this flaw to provide a
correctly-formed signature that some software, including gpgme, will
accept to have validity and signer fingerprint chosen from the attacker.
CVE-2018-9234

GnuPG does not enforce a configuration in which key certification requires an
offline master Certify key, which results in apparently valid certifications
that occurred only with access to a signing subkey.

For Debian 8 jessie, these problems have been fixed in version 2.0.26-6+deb8u3.

For Debian 9 stretch, these problems have been fixed in version 2.1.18-8~deb9u5.

We recommend that you upgrade your gnupg2 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-636-1 gnupg2 security update