On Mon, Aug 04, 2025 at 09:43:36PM +0200, Salvatore Bonaccorso wrote: > Source: hplip > Version: 3.22.10+dfsg0-8.1 > Severity: important > Tags: security upstream > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > > Hi, > > The following vulnerability was published for hplip. > > CVE-2025-43023[0]: > | A potential security vulnerability has been identified in the HP > | Linux Imaging and Printing Software documentation. This potential > | vulnerability is due to the use of a weak code signing key, Digital > | Signature Algorithm (DSA). > > There is not much information at this time, the upstream advisory [1] > might indicate it is fixed in 3.25.2. >...
This might not even be a vulnerabilty in the software. https://developers.hp.com/hp-linux-imaging-and-printing/hplipDigitalCertificate.html HPLIP Version: 3.25.2 and above HPLIP has implemented a process so you (the user) can optionally verify that the package you are downloading is, indeed, provided by the HP Linux Imaging and Printing project and has valid contents. The process to verify the package is simple and takes only a few moments. The steps are provided in detail below. ... gpg --import hplip-publickey.asc ... gpg --verify hplip-version.run.asc hplip-<version>.run https://sourceforge.net/projects/hplip/files/hplip/3.24.4/ $ gpg --verify hplip-3.24.4.run.asc gpg: assuming signed data in 'hplip-3.24.4.run' gpg: Signature made Wed 22 May 2024 07:42:57 EEST gpg: using DSA key 4ABA2F66DBD5A95894910E0673D770CDA59047B9 gpg: Good signature from "HPLIP (HP Linux Imaging and Printing) <[email protected]>" [unknown] https://sourceforge.net/projects/hplip/files/hplip/3.25.2/ $ gpg --verify hplip-3.25.2.run.asc gpg: assuming signed data in 'hplip-3.25.2.run' gpg: Signature made Thu 10 Jul 2025 13:12:30 EEST gpg: using RSA key 5E4E4D24A34ECD57 gpg: Good signature from "HPLIP (HP Linux Imaging and Printing) <[email protected]>" [unknown] > Regards, > Salvatore cu Adrian
