Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 701616 (CVE-2019-14855)

Summary: <app-crypt/gnupg-2.2.19: WoT forgeries using SHA-1 (CVE-2019-14855)
Product: Gentoo Security Reporter: Michael 'veremitz' Everitt <gentoo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: crypto+disabled, k_f
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html
Whiteboard: A4 [noglsa cve]
Package list:
app-crypt/gnupg-2.2.19
 Runtime testing required: ---

Description Michael 'veremitz' Everitt 2019-12-01 00:48:59 UTC 
Version 2.2.18 of gnupg is now available.

See https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html for details.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2019-12-02 12:47:20 UTC 
Yes, I've been waiting a bit on this to see if a quick fix is added for https://lists.gnupg.org/pipermail/gnupg-devel/2019-November/034487.html , but will likely bump it anyways later this week.
Comment 2 Larry the Git Cow gentoo-dev 2019-12-13 19:16:27 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d39c36648f20fe75f0bbaf907bdc0b0bb48c7f5

commit 5d39c36648f20fe75f0bbaf907bdc0b0bb48c7f5
Author:     Kristian Fiskerstrand <k_f@gentoo.org>
AuthorDate: 2019-12-13 19:16:03 +0000
Commit:     Kristian Fiskerstrand <k_f@gentoo.org>
CommitDate: 2019-12-13 19:16:18 +0000

    app-crypt/gnupg: New upstream version 2.2.19
    
    Bug: https://bugs.gentoo.org/701616
    Package-Manager: Portage-2.3.79, Repoman-2.3.16
    Signed-off-by: Kristian Fiskerstrand <k_f@gentoo.org>

 app-crypt/gnupg/Manifest            |   1 +
 app-crypt/gnupg/gnupg-2.2.19.ebuild | 152 ++++++++++++++++++++++++++++++++++++
 2 files changed, 153 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-19 03:49:02 UTC 
@maintainer(s), ok to cleanup?
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-20 15:49:28 UTC 
(In reply to sam_c (Security Padawan) from comment #3)
> @maintainer(s), ok to cleanup?

Ignore me.

The vulnerability is fixed in <2.2.19, so @maintainer(s), are we ok to stabilise or call yourself if appropriate?
Comment 5 Agostino Sarubbo gentoo-dev 2020-03-21 16:19:35 UTC 
s390 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-03-21 16:20:32 UTC 
sparc stable
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-21 16:33:45 UTC 
amd64 stable
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-21 16:42:18 UTC 
arm stable
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-21 16:42:53 UTC 
arm64 stable
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-21 16:43:14 UTC 
hppa stable
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-21 16:43:36 UTC 
ia64 stable
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-21 16:43:57 UTC 
ppc stable
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-21 16:44:15 UTC 
ppc64 stable
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-21 16:44:36 UTC 
x86 stable
Comment 15 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-21 16:47:27 UTC 
GLSA vote: no.
Comment 16 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-21 16:53:18 UTC 
(In reply to sam_c (Security Padawan) from comment #4)
> The vulnerability is fixed in <2.2.19, so @maintainer(s), are we ok to
> stabilise or call yourself if appropriate?

This is meant to say 'fixed in 2.2.19.