USN-5503-2: GnuPG vulnerability
12 July 2022
GnuPG could allow forged signatures.
Releases
Packages
- gnupg - GNU privacy guard - a free PGP replacement
- gnupg2 - GNU privacy guard - a free PGP replacement
Details
USN-5503-1 fixed a vulnerability in GnuPG. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
Demi Marie Obenour discovered that GnuPG incorrectly handled injection in
the status message. A remote attacker could possibly use this issue to
forge signatures.
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 16.04
-
gnupg2
-
2.1.11-6ubuntu2.1+esm1
Available with Ubuntu Pro
-
gnupg
-
1.4.20-1ubuntu3.3+esm2
Available with Ubuntu Pro
Ubuntu 14.04
-
gnupg
-
1.4.16-1ubuntu2.6+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References
Related notices
- USN-5503-1: gnupg2, scdaemon, gpgv, gnupg-l10n, gnupg, gpg-agent, gpg-wks-client, gpg-wks-server, gpgconf, gpgv-static, gnupg-utils, gpgv-win32, gpgv2, gnupg-agent, dirmngr, gpg, gpgsm