-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ----------------------------------------------------------------------- Debian LTS Advisory DLA-2862-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Utkarsh Gupta December 29, 2021 https://wiki.debian.org/LTS - -----------------------------------------------------------------------
Package : python-gnupg Version : 0.3.9-1+deb9u1 CVE ID : CVE-2018-12020 CVE-2019-6690 A couple of vulnerabilites were found in python-gnupg, a Python wrapper for the GNU Privacy Guard. CVE-2018-12020 Marcus Brinkmann discovered that GnuPG before 2.2.8 improperly handled certain command line parameters. A remote attacker could use this to spoof the output of GnuPG and cause unsigned e-mail to appear signed. CVE-2019-6690 It was discovered that python-gnupg incorrectly handled the GPG passphrase. A remote attacker could send a specially crafted passphrase that would allow them to control the output of encryption and decryption operations. For Debian 9 stretch, these problems have been fixed in version 0.3.9-1+deb9u1. We recommend that you upgrade your python-gnupg packages. For the detailed security status of python-gnupg please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-gnupg Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmHLfW0ACgkQgj6WdgbD S5Y69Q/+MH4ZaPk7ejpyET1B4eGcbs9MO8mQujHlJuYGQJnbS6bD9W6U64+26859 YE8ymF6ljhDaXpAXKhZIUdvGlkKpy87R0jPEVlsHxcti6Vy58imzKiUNpFCtRnLV nRMz04P8OZ91yRjbERFyGKh2Ckdlc9VlKC2Th2i3tgk0p3Z8/keZee+XzQvSuosJ ygoGay3oee8IS350XgEz5rkpFVWmgEGFT2Ni1iDKneyxUVHFxeV/owp/HaLHO5Mw 8DI8E2fViTyFRn85c31asHzXdPaUBKpWaVu4kh3Es1tq5/vqaNWodANR1zItMfy/ C6uRfzZhnQhETZvPAqaEMMafNo3h4+8pCRMhjI9NEj9C2Toryf+2AP36wXdXxH9N d5E8yApLI7jkfiNR06VrYkepgsjzar4PXHnSIbQ/NJNP3PDGjjz4OHS2QwXX8eAC UeqIFsBaWQXOM/vzhQQKU5tRn57Kwy4379M+Z/wdHpcMhiWTD68OPhvelxJO9pPh j7Tt7bAqruOe4o0XaIQ5aSLNC2vu3JyZIgGEMK1Skwqna/Alw+3WzK8P+XqIbIii y1s7EYMrPYOLXAlyYKDBlUaS+s1fZOA+x2IPHVd3jv4MNfl6Fz6kRDzvjI0qmm5p 8vkUgT50cAedICGmkUMB/RS7t6KiP2viM78ke+3Bg9bfl835b1Q= =ocnN -----END PGP SIGNATURE-----