Bug#894983: gnupg2: CVE-2018-9234: Able to certify public keys without a certify key present when using smartcard

Source: gnupg2 Version: 2.2.5-1 Severity: important Tags: security upstream Forwarded: https://dev.gnupg.org/T3844 Hi, The following vulnerability was published for gnupg2: CVE-2018-9234[0]: | GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key | certification requires an offline

Bug#894983: gnupg2: CVE-2018-9234: Able to certify public keys without a certify key present when using smartcard

Hello, Thank you for the bug report. Salvatore Bonaccorso wrote: > The following vulnerability was published for gnupg2: Vulnerability? ... well, a kind of. Given this is escalated to CVE, I considered and evaluated the problem again. I think that we need to fix the checking of signature by a

Bug#894983: gnupg2: CVE-2018-9234: Able to certify public keys without a certify key present when using smartcard

On Thu, 5 Apr 2018 22:49, car...@debian.org said: > CVE-2018-9234[0]: > | GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key > | certification requires an offline master Certify key, which results in > | apparently valid certifications that occurred only with access to a > | sign