Search CVE reports
1 – 10 of 24 results
Some fixes available 5 of 7
In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain...
1 affected package
gnupg2
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| gnupg2 | Fixed | Fixed | Fixed | Needs evaluation |
GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.
2 affected packages
gnupg, gnupg2
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| gnupg | — | Not in release | Not in release | Not in release |
| gnupg2 | Vulnerable | Vulnerable | Vulnerable | Vulnerable |
GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.
2 affected packages
gnupg, gnupg2
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| gnupg | — | Not in release | Not in release | Not in release |
| gnupg2 | — | Fixed | Fixed | Fixed |
GnuPG 2.2.21 and 2.2.22 (and Gpg4win 3.1.12) has an array overflow, leading to a crash or possibly unspecified other impact, when a victim imports an attacker's OpenPGP key, and this key has AEAD preferences. The overflow...
1 affected package
gnupg2
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| gnupg2 | — | — | Not affected | Not affected |
Some fixes available 1 of 20
A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.
3 affected packages
gnupg, gnupg1, gnupg2
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| gnupg | Not in release | Not in release | Not in release | Not in release |
| gnupg1 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| gnupg2 | Not affected | Not affected | Not affected | Fixed |
Some fixes available 1 of 12
Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network....
3 affected packages
gnupg, gnupg2, sks
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| gnupg | Not in release | Not in release | Not in release | Not in release |
| gnupg2 | Not affected | Not affected | Not affected | Fixed |
| sks | Not affected | Not affected | Vulnerable | Vulnerable |
GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must...
1 affected package
gnupg2
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| gnupg2 | — | — | — | Fixed |
Some fixes available 24 of 41
mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the...
5 affected packages
enigmail, gnupg, gnupg1, gnupg2, python-gnupg
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| enigmail | Not in release | Vulnerable | Vulnerable | Vulnerable |
| gnupg | Not in release | Not in release | Not in release | Not in release |
| gnupg1 | Not affected | Not affected | Not affected | Vulnerable |
| gnupg2 | Fixed | Fixed | Fixed | Fixed |
| python-gnupg | Not affected | Not affected | Not affected | Fixed |
GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.
2 affected packages
gnupg, gnupg2
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| gnupg | — | — | — | Not in release |
| gnupg2 | — | — | — | Fixed |
The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by...
4 affected packages
gnupg, gnupg2, libgcrypt11, libgcrypt20
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| gnupg | — | — | — | Not in release |
| gnupg2 | — | — | — | Not affected |
| libgcrypt11 | — | — | — | Not in release |
| libgcrypt20 | — | — | — | Fixed |