[Bug 1844059] Re: Please apply mitigations for CVE-2019-13050

Launchpad Bug Tracker 1844059 at bugs.launchpad.net
Mon May 30 07:15:20 UTC 2022 

This bug was fixed in the package gnupg2 - 2.2.4-1ubuntu1.5

---------------
gnupg2 (2.2.4-1ubuntu1.5) bionic-security; urgency=medium

  * SECURITY UPDATE: Certificate Spamming Attack through SKS
    (LP: #1844059)
    - debian/patches/CVE-2019-13050-1.patch: add option to only accept
      self-signatures when importing a key in g10/import.c,
      g10/options.h and doc/gpg.texi.
    - debian/patches/CVE-2019-13050-2.patch: add fallback when importing
      self-signatures only in g10/import.c.
    - debian/patches/CVE-2019-13050-3.patch: add "self-sigs-only" and
      "import-clean" to the keyserver options in g10/gpg.c and
      doc/gpg.texi.
    - debian/patches/CVE-2019-13050-4.patch: fix regression by ensuring
      KEYID is available on a pending package in g10/import.c.
    - debian/patches/CVE-2019-13050-5.patch: prevent fallback from being
      used if the options are already used in g10/import.c.
    - CVE-2019-13050

 -- David Fernandez Gonzalez <david.fernandezgonzalez at canonical.com>
Thu, 26 May 2022 12:24:46 +0200

** Changed in: gnupg2 (Ubuntu)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnupg2 in Ubuntu.
https://bugs.launchpad.net/bugs/1844059

Title:
  Please apply mitigations for CVE-2019-13050

Status in gnupg2 package in Ubuntu:
  Fix Released

Bug description:
  According to https://people.canonical.com/~ubuntu-
  security/cve/2019/CVE-2019-13050.html mitigating CVE-2019-13050 was
  deferred, however mitigation is needed.

  Reading the comments listed there, I am unable to determine the
  reasoning / cause for deferral, could you please try to help me
  understand? Thank in advance.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: gnupg 2.2.4-1ubuntu1.2
  ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21
  Uname: Linux 5.0.0-27-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.7
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  Date: Sun Sep 15 17:14:48 2019
  SourcePackage: gnupg2
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/1844059/+subscriptions

More information about the foundations-bugs mailing list