CVE-2019-13050
Published: 29 June 2019
Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.
Priority
Low
CVSS 3 base score: 7.5
Status
| Package | Release | Status |
|---|---|---|
|
gnupg Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.04 (Hirsute Hippo) |
Does not exist
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Deferred
(2020-01-06)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Deferred
(2020-01-06)
|
|
|
gnupg2 Launchpad, Ubuntu, Debian |
Upstream |
Released
(2.2.17-3)
|
| Ubuntu 21.04 (Hirsute Hippo) |
Not vulnerable
(2.2.19-3ubuntu1)
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Not vulnerable
(2.2.19-3ubuntu1)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Needed
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Needed
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
Patches: Upstream: https://dev.gnupg.org/rG15a425a1dfe60bd976b17671aa8e3d9aed12e1c0 Upstream: https://dev.gnupg.org/rGadb120e663fc5e78f714976c6e42ae233c1990b0 Upstream: https://dev.gnupg.org/rGa1f2f38dfb2ba5ed66d3aef66fc3be9b67f9b800 Upstream: https://dev.gnupg.org/rG2b7151b0a57f5fe7d67fd76dfa1ba7a8731642c6 (possibly problematic) Upstream: https://dev.gnupg.org/rGb6effaf4669b2c3707932e3c5f2f57df886d759e Upstream: https://dev.gnupg.org/rG3c2cf5ea952015a441ee5701c41dadc63be60d87 |
||
|
sks Launchpad, Ubuntu, Debian |
Upstream |
Released
(1.1.6+git20210302.c3ba6d5a-1)
|
| Ubuntu 21.04 (Hirsute Hippo) |
Not vulnerable
(1.1.6+git20210302.c3ba6d5a-1)
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Deferred
(2020-01-06)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Deferred
(2020-01-06)
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Ignored
(end of standard support, was deferred [2020-01-06])
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
Notes
| Author | Note |
|---|---|
| mdeslaur | this is a weakness in the PGP keyserver design. |
| amurray | gnupg upstream has 2 mitigations for this - firstly, don't import key signatures by default anymore, and to fallback to only import self-signatures on very large keyblocks |
| mdeslaur | as of 2020-01-06, there is no ideal fix for this issue marking this CVE as deferred until a complete fix is available |
| sbeattie | gnupg mitigations landed in upstream in 2.2.17 with important fixes in 2.2.18 2.2.19-3ubuntu1 introduced a debian/ubuntu specific change to use keys.openpgp.org as the default keyserver any backports to address this issue will be complex and introduce changes in behavior sks in debian introduced very basic filtering in 1.1.6+git20210302.c3ba6d5a-1 |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050
- https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
- https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html
- NVD
- Launchpad
- Debian