Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.3244
gnupg2 security update
4 July 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: gnupg2
Publisher: Debian
Operating System: Debian GNU/Linux
Resolution: Patch/Upgrade
CVE Names: CVE-2022-34903
Original Bulletin:
https://lists.debian.org/debian-security-announce/2022/msg00142.html
Comment: CVSS (Max): None available when published
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-5174-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 03, 2022 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : gnupg2
CVE ID : CVE-2022-34903
Debian Bug : 1014157
Demi Marie Obenour discovered a flaw in GnuPG, allowing for signature
spoofing via arbitrary injection into the status line. An attacker who
controls the secret part of any signing-capable key or subkey in the
victim's keyring, can take advantage of this flaw to provide a
correctly-formed signature that some software, including gpgme, will
accept to have validity and signer fingerprint chosen from the attacker.
For the oldstable distribution (buster), this problem has been fixed
in version 2.2.12-1+deb10u2.
For the stable distribution (bullseye), this problem has been fixed in
version 2.2.27-2+deb11u2.
We recommend that you upgrade your gnupg2 packages.
For the detailed security status of gnupg2 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/gnupg2
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmLB8/RfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Qntw/9FCfDun9YLSAcUZQaJ6nfMkhNS8tOzRKkSxLE6x4jtkaauwq0yamMF8B1
RB3IVvdqwLXf/K4R1DZTKD2X2XMSpCXsJmYZmxr4legUBbu215e6MFNVuGw1y1u8
AQf+BLTON7pG0GFW8Lh05b9vENrX1/ygoVth2g8Zr6T0WF7eoHDcoRUOdWfWyNUs
q9rv3T+snsdnw1HDD3X43r+F+s3kAFzk/IbmLhvFqmKTBLGFdPjG7FuMUq5DXcJv
4Ee8wEdCNtZXDCaXzIZs0z8jqpdfnfmnu6eSXU+YuWYNmDooFvolnbLYmulpnQVp
rNTx3YJYC0oKHuQgQeMm+eN1GLWdlbvO7rGmRaCopyUy8/wIxRqGr9FHoX6na/53
0WzL9MaGP00A1O9+9ngjGHt6ayK29/qs21TTAACrFBEr5Md1w8CzpDcXz9J51CjY
dhoLxhwO2fn+LQ1ftzbOEVZvRMPI0YEJC96YOH3X/UtOoRaWo6Z/LQ9uIA01ZtPR
BKtkeq/GmGeYBS5fkFbE2Y9LmjtEQKntKnGp0n6YTIlpCCX7aWlPWEvuVvN5DKU5
goKOX2TsjuDbGmoAf948o78udM8chx7hF/tSrjmHyI4oUF9Ia7tmEFuAhL9lFQ/R
Z0XarN/k03VBe7z11hfF2gXTA8KGS/3cyQ0ru48b/5m6pIAmY+E=
=xHQz
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBYsJTdskNZI30y1K9AQjG1Q//QkoiOOZYoylecwVmKjaS7dHNAuJiH1Vi
3H/yPvPueIiTLNTaNaiS8I4CpuqCmiELfMFPQw0WyRfz7nN98VM8MftGaltJGKs6
bBTBWPlx0i5yP0CkifTBzDVP7CMqhmTwPI01URd/Yo2wSDfA7qcw5EEa972tRb5R
Cjq8GbiOi6WXoNTGLDvanEOoF2I+but2kegL+OEcJtusilO4/aYUGOnUewyel4iV
jT/uD0ui5YRqc8IWGzQccKmP7yj9we6zTS+rm5dcvidqvHm9jyIDxlXvFAPspXJy
n0rRssuE8wpuaadoDN6Ln9eignw41T27LXwCj9hJBudhG6aAhW5ylqs6hrlN0Q3z
bLSY6G9vpt6sd9I6GbyWtOJayagqxx+Q10rp4rQyMP/vpbboHpzAVaHvsGfkjz1y
UeJot+RhXtb7DW8Ls8i1xgz9jBwfq72Of8zk+XGHELi0yDqYdt1haaz+RlTvmE8n
NGtcJFdMUCkMcq0PgCuiV3KFOdTrRR0vTt1OOVrMvy5+JO7kNQAUz6yZ6ygBm05I
JeqPmgnpUIH2SElkFUwW4KK+P+5Z3Egi0qkhshBml0Zu8G7XbZqnVnEUEqxshLza
0w/N4TqZJQDUEedoS7oHBk5yG726qoxdJxN6E6sneShXqCzBmdHx0CcBf3OIudsy
ljwVuMbp/AM=
=J1zp
-----END PGP SIGNATURE-----