Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3244 gnupg2 security update 4 July 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: gnupg2 Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-34903 Original Bulletin: https://lists.debian.org/debian-security-announce/2022/msg00142.html Comment: CVSS (Max): None available when published - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-5174-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 03, 2022 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : gnupg2 CVE ID : CVE-2022-34903 Debian Bug : 1014157 Demi Marie Obenour discovered a flaw in GnuPG, allowing for signature spoofing via arbitrary injection into the status line. An attacker who controls the secret part of any signing-capable key or subkey in the victim's keyring, can take advantage of this flaw to provide a correctly-formed signature that some software, including gpgme, will accept to have validity and signer fingerprint chosen from the attacker. For the oldstable distribution (buster), this problem has been fixed in version 2.2.12-1+deb10u2. For the stable distribution (bullseye), this problem has been fixed in version 2.2.27-2+deb11u2. We recommend that you upgrade your gnupg2 packages. For the detailed security status of gnupg2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gnupg2 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmLB8/RfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Qntw/9FCfDun9YLSAcUZQaJ6nfMkhNS8tOzRKkSxLE6x4jtkaauwq0yamMF8B1 RB3IVvdqwLXf/K4R1DZTKD2X2XMSpCXsJmYZmxr4legUBbu215e6MFNVuGw1y1u8 AQf+BLTON7pG0GFW8Lh05b9vENrX1/ygoVth2g8Zr6T0WF7eoHDcoRUOdWfWyNUs q9rv3T+snsdnw1HDD3X43r+F+s3kAFzk/IbmLhvFqmKTBLGFdPjG7FuMUq5DXcJv 4Ee8wEdCNtZXDCaXzIZs0z8jqpdfnfmnu6eSXU+YuWYNmDooFvolnbLYmulpnQVp rNTx3YJYC0oKHuQgQeMm+eN1GLWdlbvO7rGmRaCopyUy8/wIxRqGr9FHoX6na/53 0WzL9MaGP00A1O9+9ngjGHt6ayK29/qs21TTAACrFBEr5Md1w8CzpDcXz9J51CjY dhoLxhwO2fn+LQ1ftzbOEVZvRMPI0YEJC96YOH3X/UtOoRaWo6Z/LQ9uIA01ZtPR BKtkeq/GmGeYBS5fkFbE2Y9LmjtEQKntKnGp0n6YTIlpCCX7aWlPWEvuVvN5DKU5 goKOX2TsjuDbGmoAf948o78udM8chx7hF/tSrjmHyI4oUF9Ia7tmEFuAhL9lFQ/R Z0XarN/k03VBe7z11hfF2gXTA8KGS/3cyQ0ru48b/5m6pIAmY+E= =xHQz - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYsJTdskNZI30y1K9AQjG1Q//QkoiOOZYoylecwVmKjaS7dHNAuJiH1Vi 3H/yPvPueIiTLNTaNaiS8I4CpuqCmiELfMFPQw0WyRfz7nN98VM8MftGaltJGKs6 bBTBWPlx0i5yP0CkifTBzDVP7CMqhmTwPI01URd/Yo2wSDfA7qcw5EEa972tRb5R Cjq8GbiOi6WXoNTGLDvanEOoF2I+but2kegL+OEcJtusilO4/aYUGOnUewyel4iV jT/uD0ui5YRqc8IWGzQccKmP7yj9we6zTS+rm5dcvidqvHm9jyIDxlXvFAPspXJy n0rRssuE8wpuaadoDN6Ln9eignw41T27LXwCj9hJBudhG6aAhW5ylqs6hrlN0Q3z bLSY6G9vpt6sd9I6GbyWtOJayagqxx+Q10rp4rQyMP/vpbboHpzAVaHvsGfkjz1y UeJot+RhXtb7DW8Ls8i1xgz9jBwfq72Of8zk+XGHELi0yDqYdt1haaz+RlTvmE8n NGtcJFdMUCkMcq0PgCuiV3KFOdTrRR0vTt1OOVrMvy5+JO7kNQAUz6yZ6ygBm05I JeqPmgnpUIH2SElkFUwW4KK+P+5Z3Egi0qkhshBml0Zu8G7XbZqnVnEUEqxshLza 0w/N4TqZJQDUEedoS7oHBk5yG726qoxdJxN6E6sneShXqCzBmdHx0CcBf3OIudsy ljwVuMbp/AM= =J1zp -----END PGP SIGNATURE-----