* SECURITY UPDATE: Certificate Spamming Attack through SKS
(LP: #1844059)
- debian/patches/CVE-2019-13050-1.patch: add option to only accept
self-signatures when importing a key in g10/import.c,
g10/options.h and doc/gpg.texi.
- debian/patches/CVE-2019-13050-2.patch: add fallback when importing
self-signatures only in g10/import.c.
- debian/patches/CVE-2019-13050-3.patch: add "self-sigs-only" and
"import-clean" to the keyserver options in g10/gpg.c and
doc/gpg.texi.
- debian/patches/CVE-2019-13050-4.patch: fix regression by ensuring
KEYID is available on a pending package in g10/import.c.
- debian/patches/CVE-2019-13050-5.patch: prevent fallback from being
used if the options are already used in g10/import.c.
- CVE-2019-13050
-- David Fernandez Gonzalez <email address hidden> Thu, 26 May 2022 12:24:46 +0200
This bug was fixed in the package gnupg2 - 2.2.4-1ubuntu1.5
---------------
gnupg2 (2.2.4-1ubuntu1.5) bionic-security; urgency=medium
* SECURITY UPDATE: Certificate Spamming Attack through SKS patches/ CVE-2019- 13050-1. patch: add option to only accept signatures when importing a key in g10/import.c, patches/ CVE-2019- 13050-2. patch: add fallback when importing signatures only in g10/import.c. patches/ CVE-2019- 13050-3. patch: add "self-sigs-only" and import- clean" to the keyserver options in g10/gpg.c and patches/ CVE-2019- 13050-4. patch: fix regression by ensuring patches/ CVE-2019- 13050-5. patch: prevent fallback from being
(LP: #1844059)
- debian/
self-
g10/options.h and doc/gpg.texi.
- debian/
self-
- debian/
"
doc/gpg.texi.
- debian/
KEYID is available on a pending package in g10/import.c.
- debian/
used if the options are already used in g10/import.c.
- CVE-2019-13050
-- David Fernandez Gonzalez <email address hidden> Thu, 26 May 2022 12:24:46 +0200