Security update for gpg2
SUSE Security Update: Security update for gpg2
This is a SLES 11 SP1 LTSS rollup update for gpg2.
The following security issues have been fixed:
* CVE-2013-4402: The compressed packet parser in GnuPG allowed remote
attackers to cause a denial of service (infinite recursion) via a
crafted OpenPGP message.
* CVE-2013-4351: GnuPG treated a key flags subpacket with all bits
cleared (no usage permitted) as if it has all bits set (all usage
permitted), which might have allowed remote attackers to bypass
intended cryptographic protection mechanisms by leveraging the
subkey.
* CVE-2012-6085: The read_block function in g10/import.c in GnuPG,
when importing a key, allowed remote attackers to corrupt the public
keyring database or cause a denial of service (application crash)
via a crafted length field of an OpenPGP packet.
Also the following non-security bugs have been fixed:
* set the umask before opening a file for writing (bnc#780943)
* select proper ciphers when running in FIPS mode (bnc#808958)
* add missing options to opts table (bnc#778723)
| Announcement ID: | SUSE-SU-2014:0750-1 |
| Rating: | moderate |
| References: | #778723 #780943 #798465 #808958 #840510 #844175 |
| Affected Products: |
An update that contains security fixes can now be installed.
Description:
This is a SLES 11 SP1 LTSS rollup update for gpg2.
The following security issues have been fixed:
* CVE-2013-4402: The compressed packet parser in GnuPG allowed remote
attackers to cause a denial of service (infinite recursion) via a
crafted OpenPGP message.
* CVE-2013-4351: GnuPG treated a key flags subpacket with all bits
cleared (no usage permitted) as if it has all bits set (all usage
permitted), which might have allowed remote attackers to bypass
intended cryptographic protection mechanisms by leveraging the
subkey.
* CVE-2012-6085: The read_block function in g10/import.c in GnuPG,
when importing a key, allowed remote attackers to corrupt the public
keyring database or cause a denial of service (application crash)
via a crafted length field of an OpenPGP packet.
Also the following non-security bugs have been fixed:
* set the umask before opening a file for writing (bnc#780943)
* select proper ciphers when running in FIPS mode (bnc#808958)
* add missing options to opts table (bnc#778723)
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 11 SP1 LTSS:
zypper in -t patch slessp1-gpg2-9124
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64):
- gpg2-2.0.9-25.33.37.6
- gpg2-lang-2.0.9-25.33.37.6
References:
- https://bugzilla.novell.com/778723
- https://bugzilla.novell.com/780943
- https://bugzilla.novell.com/798465
- https://bugzilla.novell.com/808958
- https://bugzilla.novell.com/840510
- https://bugzilla.novell.com/844175
- http://download.suse.com/patch/finder/?keywords=541ab699fd83742808f396e260b1da5d