[ubuntu/bionic-security] gnupg2 2.2.4-1ubuntu1.3 (Accepted)
Marc Deslauriers
marc.deslauriers at canonical.com
Thu Sep 17 17:32:56 UTC 2020
gnupg2 (2.2.4-1ubuntu1.3) bionic-security; urgency=medium
* SECURITY UPDATE: signature collisions via insecure SHA-1 algorithm
- debian/patches/CVE-2019-14855-1.patch: reject certain SHA-1 based
signatures in g10/sig-check.c.
- debian/patches/CVE-2019-14855-2.patch: add new option
--allow-weak-key-signatures in doc/gpg.texi, g10/gpg.c, g10/main.h,
g10/misc.c, g10/options.h, g10/sig-check.c.
- debian/patches/CVE-2019-14855-3.patch: forbid the creation of SHA-1
third-party key signatures in g10/sign.c.
- debian/patches/CVE-2019-14855-4.patch: adjust tests for now invalid
SHA-1 key signatures in tests/openpgp/defs.scm.
- CVE-2019-14855
Date: 2020-09-17 15:45:14.267837+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/gnupg2/2.2.4-1ubuntu1.3
-------------- next part --------------
Sorry, changesfile not available.
More information about the Bionic-changes
mailing list