Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2018-9234

Published: 3 April 2018

GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.

Notes

AuthorNote
mdeslaur
only affects 2.1.21 and later

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
gnupg
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Does not exist

precise Not vulnerable

trusty Not vulnerable

upstream
Released (2.2.6)
xenial Not vulnerable

gnupg2
Launchpad, Ubuntu, Debian
artful Not vulnerable
(2.1.15-1ubuntu8)
bionic
Released (2.2.4-1ubuntu1.1)
precise Does not exist

trusty Does not exist
(trusty was not-affected [2.0.22-3ubuntu1.3])
upstream
Released (2.2.6)
xenial Not vulnerable
(2.1.11-6ubuntu2)
Patches:
upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=a17d2d1f690ebe5d005b4589a5fe378b6487c657