CVE-2019-13050
Published: 29 June 2019
Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.
Priority
Low
CVSS 3 base score: 7.5
Status
| Package | Release | Status |
|---|---|---|
|
gnupg Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 20.10 (Groovy Gorilla) |
Does not exist
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Deferred
(2020-01-06)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Deferred
(2020-01-06)
|
|
|
gnupg2 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 20.10 (Groovy Gorilla) |
Deferred
(2020-01-06)
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Deferred
(2020-01-06)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Deferred
(2020-01-06)
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Deferred
(2020-01-06)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
Patches: Upstream: https://dev.gnupg.org/rG15a425a1dfe60bd976b17671aa8e3d9aed12e1c0 Upstream: https://dev.gnupg.org/rGadb120e663fc5e78f714976c6e42ae233c1990b0 Upstream: https://dev.gnupg.org/rGa1f2f38dfb2ba5ed66d3aef66fc3be9b67f9b800 Upstream: https://dev.gnupg.org/rG2b7151b0a57f5fe7d67fd76dfa1ba7a8731642c6 (possibly problematic) Upstream: https://dev.gnupg.org/rGb6effaf4669b2c3707932e3c5f2f57df886d759e Upstream: https://dev.gnupg.org/rG3c2cf5ea952015a441ee5701c41dadc63be60d87 |
||
|
sks Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 20.10 (Groovy Gorilla) |
Does not exist
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Deferred
(2020-01-06)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Deferred
(2020-01-06)
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Deferred
(2020-01-06)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
Notes
| Author | Note |
|---|---|
| mdeslaur | this is a weakness in the PGP keyserver design. |
| amurray | gnupg upstream has 2 mitigations for this - firstly, don't import key signatures by default anymore, and to fallback to only import self-signatures on very large keyblocks |
| mdeslaur | as of 2020-01-06, there is no ideal fix for this issue marking this CVE as deferred until a complete fix is available |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050
- https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
- https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html
- NVD
- Launchpad
- Debian