MGASA-2013-0299

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2013-0299.html

Import Source

https://advisories.mageia.org/MGASA-2013-0299.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2013-0299

Related

Published

2013-10-09T22:34:30Z

Modified

2013-10-09T22:34:22Z

Summary

Updated gnupg2 packages fix multiple vulnerabilities

Details

Updated gnupg2 package fixes security vulnerabilities:

RFC 4880 permits OpenPGP keyholders to mark their primary keys and subkeys with a "key flags" packet that indicates the capabilities of the key. These are represented as a set of binary flags, including things like "This key may be used to encrypt communications." If a key or subkey has this "key flags" subpacket attached with all bits cleared (off), GnuPG currently treats the key as having all bits set (on). While keys with this sort of marker are very rare in the wild, GnuPG's misinterpretation of this subpacket could lead to a breach of confidentiality or a mistaken identity verification (CVE-2013-4351).

Special crafted input data may be used to cause a denial of service against GPG. GPG can be forced to recursively parse certain parts of OpenPGP messages ad infinitum (CVE-2013-4402).

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:3 / gnupg2

Package

Name: gnupg2
Purl: pkg:rpm/mageia/gnupg2?distro=mageia-3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.19-3.2.mga3

Ecosystem specific

{
    "section": "core"
}

Mageia:2 / gnupg2

Package

Name: gnupg2
Purl: pkg:rpm/mageia/gnupg2?distro=mageia-2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.18-1.4.mga2

Ecosystem specific

{
    "section": "core"
}