CVE-2019-6690 (https://nvd.nist.gov/vuln/detail/CVE-2019-6690): python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.
Please bump to >=0.4.4.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4038ef34b9021911fa48641cb3a55edfd2c06bca commit 4038ef34b9021911fa48641cb3a55edfd2c06bca Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2019-12-17 18:33:41 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2019-12-17 18:37:28 +0000 dev-python/python-gnupg: bump to version 0.4.5 Dropped patches, since they got merged. Also added python3.8 support, as all tests locally passed. Bug: https://bugs.gentoo.org/685864 Package-Manager: Portage-2.3.81, Repoman-2.3.20 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> dev-python/python-gnupg/Manifest | 1 + dev-python/python-gnupg/python-gnupg-0.4.5.ebuild | 29 +++++++++++++++++++++++ 2 files changed, 30 insertions(+)
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=96b5608ee3d86f4710dbca58e1c702bf18b90eaf commit 96b5608ee3d86f4710dbca58e1c702bf18b90eaf Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2019-12-20 19:40:39 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2019-12-20 19:42:54 +0000 dev-python/python-gnupg: drop old versions Bug: https://bugs.gentoo.org/685864 Package-Manager: Portage-2.3.81, Repoman-2.3.20 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> dev-python/python-gnupg/Manifest | 3 -- ...hon-gnupg-0.4.3-skip_network_needing_test.patch | 51 ---------------------- ...n-gnupg-0.4.3-use_seperate_keys_directory.patch | 50 --------------------- dev-python/python-gnupg/python-gnupg-0.4.0.ebuild | 27 ------------ dev-python/python-gnupg/python-gnupg-0.4.1.ebuild | 27 ------------ dev-python/python-gnupg/python-gnupg-0.4.3.ebuild | 31 ------------- 6 files changed, 189 deletions(-)
GLSA Vote: No Repository is clean, all done!