This bug was fixed in the package gnupg2 - 2.2.4-1ubuntu1.5
---------------
gnupg2 (2.2.4-1ubuntu1.5) bionic-security; urgency=medium
* SECURITY UPDATE: Certificate Spamming Attack through SKS
(LP: #1844059)
- debian/patches/CVE-2019-13050-1.patch: add option to only accept
self-signatures when importing a key in g10/import.c,
g10/options.h and doc/gpg.texi.
- debian/patches/CVE-2019-13050-2.patch: add fallback when importing
self-signatures only in g10/import.c.
- debian/patches/CVE-2019-13050-3.patch: add "self-sigs-only" and
"import-clean" to the keyserver options in g10/gpg.c and
doc/gpg.texi.
- debian/patches/CVE-2019-13050-4.patch: fix regression by ensuring
KEYID is available on a pending package in g10/import.c.
- debian/patches/CVE-2019-13050-5.patch: prevent fallback from being
used if the options are already used in g10/import.c.
- CVE-2019-13050
-- David Fernandez Gonzalez <david.fernandezgonza...@canonical.com>
Thu, 26 May 2022 12:24:46 +0200
** Changed in: gnupg2 (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1844059
Title:
Please apply mitigations for CVE-2019-13050
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/1844059/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
