Security update for gpg

SUSE Security Update: Security update for gpg
Announcement ID: SUSE-SU-2013:1578-1
Rating: moderate
References: #780943 #798465 #831359 #840510 #844175
Affected Products:
  • SUSE Linux Enterprise Server 10 SP3 LTSS

  • An update that solves one vulnerability and has four fixes is now available.


    This GnuPG LTSS roll-up update fixes two security issues:

    * CVE-2013-4351: GnuPG treated no-usage-permitted keys
    as all-usages-permitted.
    * CVE-2013-4402: An infinite recursion in the
    compressed packet parser was fixed.
    * CVE-2013-4242: GnuPG allowed local users to obtain
    private RSA keys via a cache side-channel attack involving
    the L3 cache, aka Flush+Reload.
    * CVE-2012-6085: The read_block function in
    g10/import.c in GnuPG 1.4.x, when importing a key, allowed
    remote attackers to corrupt the public keyring database or
    cause a denial of service (application crash) via a crafted
    length field of an OpenPGP packet.

    We also fixed a permission issue on opening new files

    Security Issues:

    * CVE-2013-4351

    Package List:

    • SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64):
    • gpg-1.4.2-23.27.1