CVE-2025-43023
Publication date 28 July 2025
Last updated 15 September 2025
Ubuntu priority
A potential security vulnerability has been identified in the HP Linux Imaging and Printing Software documentation. This potential vulnerability is due to the use of a weak code signing key, Digital Signature Algorithm (DSA).
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| hplip | 25.04 plucky |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
Notes
mdeslaur
This CVE is for the use of a DSA key to sign the upstream installer. Starting with 3.25.2, HP switched to a newer GPG key, available here: https://developers.hp.com/hp-linux-imaging-and-printing/hplipDigitalCertificate.html In the hplip-data binary package, the DSA key is located in /usr/share/hplip/signing-key.asc and is loaded by /usr/share/hplip/base/validation.py. We need to investigate if the key is being used to download other artifacts from HP.