#716 ✓verified
Sierk

update to gpg 2.2.8

Reported by Sierk | June 8th, 2018 @ 11:40 PM | in 2.2.8

Noteworthy changes in version 2.2.8 (CVE-2018-12020), 2018-06-08

  • gpg: Decryption of messages not using the MDC mode will now lead to a hard failure even if a legacy cipher algorithm was used. The option --ignore-mdc-error can be used to turn this failure into a warning. Take care: Never use that option unconditionally or without a prior warning.

  • gpg: The MDC encryption mode is now always used regardless of the cipher algorithm or any preferences. For testing --rfc2440 can be used to create a message without an MDC.

  • gpg: Sanitize the diagnostic output of the original file name in verbose mode. [#4012,CVE-2018-12020]

  • gpg: Detect suspicious multiple plaintext packets in a more reliable way. [#4000]

  • gpg: Fix the duplicate key signature detection code. [#3994]

  • gpg: The options --no-mdc-warn, --force-mdc, --no-force-mdc, --disable-mdc and --no-disable-mdc have no more effect.

  • agent: Add DBUS_SESSION_BUS_ADDRESS and a few other envvars to the list of startup environment variables. [#3947]

See also:

https://gnupg.org/#sec-3-1:

GnuPG 2.2.8 released (2018-06-08) IMPORTANT

This version fixes a critical security bug. Either this version or a vendor provided fix should be installed. There are also a few other changes; see the announcement mail. This is CVE-2018-12020 and our bug #4012.

and

[gnupg-announce] mailing list, Fri Jun 8 15:40:55 CEST 2018: [Announce] [security fix] GnuPG 2.2.8 released (CVE-2018-12020) https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html

Additional info incl. POCs:

NeoPG Blog (Marcus Brinkmann), 2018-06-13: SigSpoof: Spoofing signatures in GnuPG, Enigmail, GPGTools and python-gnupg (CVE-2018-12020)
https://neopg.io/blog/gpg-signature-spoof/

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Shared Ticket Bins

People watching this ticket

Pages