[SECURITY] [DLA 2862-1] python-gnupg security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2862-1] python-gnupg security update
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Wed, 29 Dec 2021 02:43:26 +0530
Message-id: <[🔎] CAPP0f96aZPgFVsRFB7X0YAPJROwtSsFK2PPFYoE57+pynCMpzw@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-2862-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
December 29, 2021                           https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : python-gnupg
Version        : 0.3.9-1+deb9u1
CVE ID         : CVE-2018-12020 CVE-2019-6690

A couple of vulnerabilites were found in python-gnupg, a Python
wrapper for the GNU Privacy Guard.

CVE-2018-12020

    Marcus Brinkmann discovered that GnuPG before 2.2.8 improperly
    handled certain command line parameters. A remote attacker
    could use this to spoof the output of GnuPG and cause unsigned
    e-mail to appear signed.

CVE-2019-6690

    It was discovered that python-gnupg incorrectly handled the GPG
    passphrase. A remote attacker could send a specially crafted
    passphrase that would allow them to control the output of
    encryption and decryption operations.

For Debian 9 stretch, these problems have been fixed in version
0.3.9-1+deb9u1.

We recommend that you upgrade your python-gnupg packages.

For the detailed security status of python-gnupg please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-gnupg

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmHLfW0ACgkQgj6WdgbD
S5Y69Q/+MH4ZaPk7ejpyET1B4eGcbs9MO8mQujHlJuYGQJnbS6bD9W6U64+26859
YE8ymF6ljhDaXpAXKhZIUdvGlkKpy87R0jPEVlsHxcti6Vy58imzKiUNpFCtRnLV
nRMz04P8OZ91yRjbERFyGKh2Ckdlc9VlKC2Th2i3tgk0p3Z8/keZee+XzQvSuosJ
ygoGay3oee8IS350XgEz5rkpFVWmgEGFT2Ni1iDKneyxUVHFxeV/owp/HaLHO5Mw
8DI8E2fViTyFRn85c31asHzXdPaUBKpWaVu4kh3Es1tq5/vqaNWodANR1zItMfy/
C6uRfzZhnQhETZvPAqaEMMafNo3h4+8pCRMhjI9NEj9C2Toryf+2AP36wXdXxH9N
d5E8yApLI7jkfiNR06VrYkepgsjzar4PXHnSIbQ/NJNP3PDGjjz4OHS2QwXX8eAC
UeqIFsBaWQXOM/vzhQQKU5tRn57Kwy4379M+Z/wdHpcMhiWTD68OPhvelxJO9pPh
j7Tt7bAqruOe4o0XaIQ5aSLNC2vu3JyZIgGEMK1Skwqna/Alw+3WzK8P+XqIbIii
y1s7EYMrPYOLXAlyYKDBlUaS+s1fZOA+x2IPHVd3jv4MNfl6Fz6kRDzvjI0qmm5p
8vkUgT50cAedICGmkUMB/RS7t6KiP2viM78ke+3Bg9bfl835b1Q=
=ocnN
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2861-1] rdflib security update
Next by Date: [SECURITY] [DLA 2864-1] ruby-haml security update
Previous by thread: [SECURITY] [DLA 2861-1] rdflib security update
Next by thread: [SECURITY] [DLA 2864-1] ruby-haml security update
Index(es):
- Date
- Thread