Security update for gpg

SUSE Security Update: Security update for gpg
Announcement ID: SUSE-SU-2013:1578-1
Rating: moderate
References: #780943 #798465 #831359 #840510 #844175
Affected Products:
  • SUSE Linux Enterprise Server 10 SP3 LTSS

  • An update that solves one vulnerability and has four fixes is now available.

    Description:


    This GnuPG LTSS roll-up update fixes two security issues:

    * CVE-2013-4351: GnuPG treated no-usage-permitted keys
    as all-usages-permitted.
    * CVE-2013-4402: An infinite recursion in the
    compressed packet parser was fixed.
    * CVE-2013-4242: GnuPG allowed local users to obtain
    private RSA keys via a cache side-channel attack involving
    the L3 cache, aka Flush+Reload.
    * CVE-2012-6085: The read_block function in
    g10/import.c in GnuPG 1.4.x, when importing a key, allowed
    remote attackers to corrupt the public keyring database or
    cause a denial of service (application crash) via a crafted
    length field of an OpenPGP packet.

    We also fixed a permission issue on opening new files
    (bnc#780943)

    Security Issues:

    * CVE-2013-4351
    >

    Package List:

    • SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64):
    • gpg-1.4.2-23.27.1

    References:

    • http://support.novell.com/security/cve/CVE-2013-4351.html
    • https://bugzilla.novell.com/780943
    • https://bugzilla.novell.com/798465
    • https://bugzilla.novell.com/831359
    • https://bugzilla.novell.com/840510
    • https://bugzilla.novell.com/844175
    • http://download.suse.com/patch/finder/?keywords=acd92f9dee2e9699d6f15796e9111ead