lp:ubuntu/precise-security/gnupg

Created by Ubuntu Package Importer on 2012-09-17 and last modified on 2014-08-19
Get this branch:
bzr branch lp:ubuntu/precise-security/gnupg
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

44. By Marc Deslauriers on 2014-08-19

* SECURITY UPDATE: side-channel attack on Elgamal encryption subkeys
  - debian/patches/CVE-2014-5270.dpatch: use sliding window method for
    exponentiation algorithm in mpi/mpi-pow.c.
  - CVE-2014-5270

43. By Marc Deslauriers on 2014-06-26

* SECURITY UPDATE: denial of service via uncompressing garbled packets
  - debian/patches/CVE-2014-4617.dpatch: limit number of extra bytes in
    g10/compress.c.
  - CVE-2014-4617

42. By Marc Deslauriers on 2013-12-18

* SECURITY UPDATE: RSA Key Extraction via Low-Bandwidth Acoustic
  Cryptanalysis attack
  - debian/patches/CVE-2013-4576.dpatch: Use blinding for the RSA secret
    operation in cipher/random.*, cipher/rsa.c, g10/gpgv.c. Normalize the
    MPIs used as input to secret key functions in cipher/dsa.c,
    cipher/elgamal.c, cipher/rsa.c.
  - CVE-2013-4576

41. By Marc Deslauriers on 2013-10-08

* SECURITY UPDATE: incorrect no-usage-permitted flag handling
  - debian/patches/CVE-2013-4351.dpatch: correctly handle empty key flags
    in g10/getkey.c, g10/keygen.c, include/cipher.h.
  - CVE-2013-4351
* SECURITY UPDATE: denial of service via infinite recursion
  - debian/patches/CVE-2013-4402.dpatch: set limits on number of filters
    and nested packets in util/iobuf.c, g10/mainproc.c.
  - CVE-2013-4402

40. By Seth Arnold on 2013-07-30

* SECURITY UPDATE: The path of execution in an exponentiation function may
  depend upon secret key data, allowing a local attacker to determine the
  contents of the secret key through a side-channel attack.
  - debian/patches/CVE-2013-4242.dpatch: always perform the mpi_mul for
    exponents in secure memory. Based on upstream patch.
  - CVE-2013-4242

39. By Marc Deslauriers on 2013-01-08

* SECURITY UPDATE: keyring corruption via malformed key import
  - debian/patches/CVE-2012-6085.dpatch: validate PKTTYPE in g10/import.c.
  - CVE-2012-6085

38. By Marc Deslauriers on 2012-08-14

debian/patches/long-keyids.dpatch: Use the longest key ID available
when requesting a key from a key server.

37. By Colin Watson on 2011-11-21

releasing version 1.4.11-3ubuntu2

36. By Colin Watson on 2011-11-21

Mark gnupg, gnupg-curl, and gpgv Multi-Arch: foreign.

35. By Rico Tzschichholz on 2011-02-22

* Resynchronise with Debian (LP: #720905). Remaining changes:
  - Disable mlock() test since it fails with ulimit 0 (on buildds).
  - Set gpg (or gpg2) and gpgsm to use a passphrase agent by default.
  - Fix udeb build failure on powerpc, building with -O2 instead of -Os.
  - Only suggest gnupg-curl and libldap; recommendations are pulled into
    minimal, and we don't need the keyserver utilities in a minimal Ubuntu
    system.
* debian/{control,rules}: Remove the Win32 build (and mingw32
  build-dependency), since mingw32 is in universe, and will remain so for
  the forseeable future.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/quantal/gnupg
This branch contains Public information 
Everyone can see this information.

Subscribers