Your message dated Wed, 16 Mar 2022 22:47:23 +0000
with message-id <[email protected]>
and subject line Bug#1005921: fixed in php-crypt-gpg 1.6.4-2+deb11u1
has caused the Debian Bug report #1005921,
regarding CVE-2022-24953: Crypt_GPG <1.6.7 does not prevent additional options
in GPG calls
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1005921: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005921
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: php-crypt-gpg
Version: 1.6.6-1
Severity: important
Tags: security upstream
Control: found -1 1.6.4-2
Control: found -1 1.6.6-1
Crypt_GPG upstream recently published for CVE-2022-24953: “The Crypt_GPG
extension before 1.6.7 for PHP does not prevent additional options in
GPG calls, which presents a risk for certain environments and GPG
versions.”
The fix is trivial:
https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04
.
Dunno if that warrants a DSA, but I'll prepare & test a debdiff for
bullseye-security or s-p-u.
--
Guilhem.
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: php-crypt-gpg
Source-Version: 1.6.4-2+deb11u1
Done: Guilhem Moulin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
php-crypt-gpg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated php-crypt-gpg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 18 Feb 2022 22:17:29 +0100
Source: php-crypt-gpg
Architecture: source
Version: 1.6.4-2+deb11u1
Distribution: bullseye
Urgency: high
Maintainer: Debian PHP PEAR Maintainers <[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1005921
Changes:
php-crypt-gpg (1.6.4-2+deb11u1) bullseye; urgency=high
.
* Backport fix for CVE-2022-24953: Crypt_GPG <1.6.7 does not prevent
additional options in GPG calls, which presents a risk for certain
environments and GPG versions. (Closes: #1005921)
* d/gbp.conf, d/salsa-ci.yml: Target Bullseye release.
Checksums-Sha1:
2c08d3fd2d7d3913ff3575cef83e07ccc9aab9ab 2279 php-crypt-gpg_1.6.4-2+deb11u1.dsc
67d3095370504326fe829dd46ef18147910e999a 13180
php-crypt-gpg_1.6.4-2+deb11u1.debian.tar.xz
4e3b40ac2f168e92514fb9cf9ef80a87af254279 8320
php-crypt-gpg_1.6.4-2+deb11u1_amd64.buildinfo
Checksums-Sha256:
3e5e1dbe8253562560ccb3d4cae725f51c3605170793ee24d683a352e1687daa 2279
php-crypt-gpg_1.6.4-2+deb11u1.dsc
3150d2f2a66028aa1d02f14175516f888358c2dc04f4f749aae59c547df00ff4 13180
php-crypt-gpg_1.6.4-2+deb11u1.debian.tar.xz
8d222d058fef991fc51aa824aa81aaa3584cdf0209d44bb8a1261790c8c36cd1 8320
php-crypt-gpg_1.6.4-2+deb11u1_amd64.buildinfo
Files:
0362f81670e670301c8f1aee493fe53f 2279 php optional
php-crypt-gpg_1.6.4-2+deb11u1.dsc
9ea37c0080db61fdc62d4ba08f4cb3ae 13180 php optional
php-crypt-gpg_1.6.4-2+deb11u1.debian.tar.xz
a3bc1e0a168968014166ab3cf277d753 8320 php optional
php-crypt-gpg_1.6.4-2+deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmIQDXgACgkQ05pJnDwh
pVJNHg/9EyxY2moFF/UWQSim+VfP/f+ACZO5iIcJk4Ws77Gq7A3pkhFKaYyPET8G
ntkZCLQCGVbRFsakJ0/htVSjf1bHzQNqK8SG2P6s4q4qXbtd6a0ienihSk4DO0vQ
0fOIFI2TnZi2jL6duBFwSHB7LmWhYkVp4D8uDicLG4qpAu6RjfF4xyAjmcGahs83
1wBkTNZurzr28h9iiOYe5w9Tlgdi4f6ihhy6j+FrTO6yP5YQfeCxsqGSc50q+xE6
uFCdtuqq5dpEUtxpb7SmZ8/DHZ277SNaTPJoXPISA/rC7FE6UOHlhOAU4lWrC5t2
on9niT28B71OliKwZjit8l33Rxd/WADAn71iQ7nNBPdX1B/FtZ6o3W0EzDTv3xwT
5M5SQYrksM32MAw+GnScpHZKk2Jxb+mvubPuMhrsSM8Zrb8xWsh3Qmtzw8tmMV4q
LL4fZEkTlVJPSzyqfJCSz2CA+jReJtK68aJS2oHsqlOtD1cTKHW1snnDTSHUIBei
4hpA/cBHiyvRvJ+WEbdfp1Ghw0gFDkqwGFbVmsxv5pw7ER7E1J14tJi8KpVmynxf
wnI8SBQMZIY208UfnxQ091lA/ZvuiOoOI6xgtLe6tOa1oQu+QNI2sgpRv75QHhsT
MPDguppSVweLey9z0Mx3H8iDHfAlRNd1euKBONmGO0nfMxnZYTY=
=MND6
-----END PGP SIGNATURE-----
--- End Message ---
