USN-1987-1: GnuPG vulnerabilities

9 October 2013

Several security issues were fixed in GnuPG.

Releases

Packages

gnupg - GNU privacy guard - a free PGP replacement
gnupg2 - GNU privacy guard - a free PGP replacement

Details

Daniel Kahn Gillmor discovered that GnuPG treated keys with empty usage
flags as being valid for all usages. (CVE-2013-4351)

Taylor R Campbell discovered that GnuPG incorrectly handled certain OpenPGP
messages. If a user or automated system were tricked into processing a
specially-crafted message, GnuPG could consume resources, resulting in a
denial of service. (CVE-2013-4402)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 13.04

gnupg2 - 2.0.19-2ubuntu1.1
gnupg - 1.4.12-7ubuntu1.2

Ubuntu 12.10

gnupg2 - 2.0.17-2ubuntu3.2
gnupg - 1.4.11-3ubuntu4.3

Ubuntu 12.04

Ubuntu 10.04

gnupg2 - 2.0.14-1ubuntu1.6
gnupg - 1.4.10-2ubuntu1.4

In general, a standard system update will make all the necessary changes.

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›