Your submission was sent successfully! Close

CVE-2019-13050

Published: 29 June 2019

Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
gnupg
Launchpad, Ubuntu, Debian
bionic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Ignored
(end of ESM support, was deferred [2020-01-06])
trusty Deferred
(2022-03-22)
upstream Needs triage

xenial Deferred
(2022-03-22)
gnupg2
Launchpad, Ubuntu, Debian
bionic Needed

disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Not vulnerable
(2.2.19-3ubuntu1)
groovy Not vulnerable
(2.2.19-3ubuntu1)
hirsute Not vulnerable
(2.2.19-3ubuntu1)
impish Not vulnerable
(2.2.19-3ubuntu1)
jammy Not vulnerable
(2.2.19-3ubuntu1)
precise Does not exist

trusty Does not exist

upstream
Released (2.2.17-3)
xenial Needed

sks
Launchpad, Ubuntu, Debian
bionic Deferred
(2020-01-06)
cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Deferred
(2020-01-06)
groovy Does not exist

hirsute Not vulnerable
(1.1.6+git20210302.c3ba6d5a-1)
impish Not vulnerable
(1.1.6+git20210302.c3ba6d5a-1)
jammy Not vulnerable
(1.1.6+git20210302.c3ba6d5a-1)
precise Does not exist

trusty Does not exist

upstream
Released (1.1.6+git20210302.c3ba6d5a-1)
xenial Ignored
(end of standard support, was deferred [2020-01-06])

Notes

AuthorNote
mdeslaur
this is a weakness in the PGP keyserver design.
amurray
gnupg upstream has 2 mitigations for this - firstly, don't import key signatures by default anymore, and to fallback to only import self-signatures on very large keyblocks
mdeslaur
as of 2020-01-06, there is no ideal fix for this issue
marking this CVE as deferred until a complete fix is available
sbeattie
gnupg mitigations landed in upstream in 2.2.17 with important
fixes in 2.2.18
2.2.19-3ubuntu1 introduced a debian/ubuntu specific change to
use keys.openpgp.org as the default keyserver
any backports to address this issue will be complex and
introduce changes in behavior
sks in debian introduced very basic filtering in
1.1.6+git20210302.c3ba6d5a-1
rodrigo-zaiden
as of 2022-03-22, there is no upstream backport for
gnupg 1.4 series. Backporting from 2.2 is too risky.

References

Bugs