[Bug 1785176] Re: GnuPG 1.4.23 released on 2018-06-11, addresses CVE-2017-7526
Alex Murray
alex.murray at canonical.com
Tue Aug 7 09:18:52 UTC 2018
https://usn.ubuntu.com/3733-1/
** Changed in: gnupg (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnupg in Ubuntu.
https://bugs.launchpad.net/bugs/1785176
Title:
GnuPG 1.4.23 released on 2018-06-11, addresses CVE-2017-7526
Status in gnupg package in Ubuntu:
Fix Released
Bug description:
According to the information at the GnuPG Web site
(https://www.gnupg.org/), GnuPG 1.4.23 was released on 2018-06-11 "to
address the critical security bug CVE-2017-7526."
https://www.gnupg.org/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7526
In addition, according to the information on the GnuPG news page
(https://www.gnupg.org/news.html) GnuPG 1.4.22 was released on
2017-07-19 "to address the recently published local side channel
attack CVE-2017-7526."
https://www.gnupg.org/news.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7526
On the same page, it is mentioned that GnuPG 1.4.21 was released
around 2016-08-17 to address the issue in CVE-2016-6313.
https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html (Note that the CVE id in the message is not correct)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6313
The changelog for the gnupg package version 1.4.20-1ubuntu3.2 mentions
fixes for CVE-2018-12020 and CVE-2016-6313. There is no mention of
CVE-2017-7526.
http://changelogs.ubuntu.com/changelogs/pool/main/g/gnupg/gnupg_1.4.20-1ubuntu3.2/changelog
Your attention to this issue is appreciated.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/1785176/+subscriptions
More information about the foundations-bugs
mailing list