Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 701616 (CVE-2019-14855) - <app-crypt/gnupg-2.2.19: WoT forgeries using SHA-1 (CVE-2019-14855)
Summary: <app-crypt/gnupg-2.2.19: WoT forgeries using SHA-1 (CVE-2019-14855)
Status: RESOLVED FIXED
Alias: CVE-2019-14855
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://lists.gnupg.org/pipermail/gnu...
Whiteboard: A4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-12-01 00:48 UTC by Michael 'veremitz' Everitt
Modified: 2020-03-21 16:53 UTC (History)
2 users (show)

See Also:
Package list:
app-crypt/gnupg-2.2.19
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael 'veremitz' Everitt 2019-12-01 00:48:59 UTC
Version 2.2.18 of gnupg is now available.

See https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html for details.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2019-12-02 12:47:20 UTC
Yes, I've been waiting a bit on this to see if a quick fix is added for https://lists.gnupg.org/pipermail/gnupg-devel/2019-November/034487.html , but will likely bump it anyways later this week.
Comment 2 Larry the Git Cow gentoo-dev 2019-12-13 19:16:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d39c36648f20fe75f0bbaf907bdc0b0bb48c7f5

commit 5d39c36648f20fe75f0bbaf907bdc0b0bb48c7f5
Author:     Kristian Fiskerstrand <k_f@gentoo.org>
AuthorDate: 2019-12-13 19:16:03 +0000
Commit:     Kristian Fiskerstrand <k_f@gentoo.org>
CommitDate: 2019-12-13 19:16:18 +0000

    app-crypt/gnupg: New upstream version 2.2.19
    
    Bug: https://bugs.gentoo.org/701616
    Package-Manager: Portage-2.3.79, Repoman-2.3.16
    Signed-off-by: Kristian Fiskerstrand <k_f@gentoo.org>

 app-crypt/gnupg/Manifest            |   1 +
 app-crypt/gnupg/gnupg-2.2.19.ebuild | 152 ++++++++++++++++++++++++++++++++++++
 2 files changed, 153 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-19 03:49:02 UTC
@maintainer(s), ok to cleanup?
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-20 15:49:28 UTC
(In reply to sam_c (Security Padawan) from comment #3)
> @maintainer(s), ok to cleanup?

Ignore me.

The vulnerability is fixed in <2.2.19, so @maintainer(s), are we ok to stabilise or call yourself if appropriate?
Comment 5 Agostino Sarubbo gentoo-dev 2020-03-21 16:19:35 UTC
s390 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-03-21 16:20:32 UTC
sparc stable
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-21 16:33:45 UTC
amd64 stable
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-21 16:42:18 UTC
arm stable
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-21 16:42:53 UTC
arm64 stable
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-21 16:43:14 UTC
hppa stable
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-21 16:43:36 UTC
ia64 stable
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-21 16:43:57 UTC
ppc stable
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-21 16:44:15 UTC
ppc64 stable
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-21 16:44:36 UTC
x86 stable
Comment 15 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-21 16:47:27 UTC
GLSA vote: no.
Comment 16 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-21 16:53:18 UTC
(In reply to sam_c (Security Padawan) from comment #4)
> The vulnerability is fixed in <2.2.19, so @maintainer(s), are we ok to
> stabilise or call yourself if appropriate?

This is meant to say 'fixed in 2.2.19.