This bug was fixed in the package gnupg - 1.4.16-1ubuntu2.3 --------------- gnupg (1.4.16-1ubuntu2.3) trusty-security; urgency=medium
* Screen responses from keyservers (LP: #1409117) - d/p/0001-Screen-keyserver-responses.patch - d/p/0002-Make-screening-of-keyserver-result-work-with-multi-k.patch - d/p/0003-Add-kbnode_t-for-easier-backporting.patch - d/p/0004-gpg-Fix-regression-due-to-the-keyserver-import-filte.patch * Fix large key size regression from CVE-2014-5270 changes (LP: #1371766) - d/p/Add-build-and-runtime-support-for-larger-RSA-key.patch - debian/rules: build with --enable-large-secmem * SECURITY UPDATE: sidechannel attack on Elgamal - debian/patches/CVE-2014-3591.patch: use ciphertext blinding in cipher/elgamal.c. - CVE-2014-3591 * SECURITY UPDATE: sidechannel attack via timing variations in mpi_powm - debian/patches/CVE-2015-0837.patch: avoid timing variations in include/mpi.h, mpi/mpi-pow.c, mpi/mpiutil.c. - CVE-2015-0837 * SECURITY UPDATE: invalid memory read via invalid keyring - debian/patches/CVE-2015-1606.patch: skip all packets not allowed in a keyring in g10/keyring.c. - CVE-2015-1606 * SECURITY UPDATE: memcpy with overlapping ranges - debian/patches/CVE-2015-1607.patch: use inline functions to convert buffer data to scalars in g10/apdu.c, g10/app-openpgp.c, g10/build-packet.c, g10/ccid-driver.c, g10/getkey.c, g10/keygen.c, g10/keyid.c, g10/misc.c, g10/parse-packet.c, g10/tdbio.c, g10/trustdb.c, include/host2net.h. - CVE-2015-1607 -- Marc Deslauriers <marc.deslauri...@ubuntu.com> Fri, 27 Mar 2015 08:22:48 -0400 ** Changed in: gnupg2 (Ubuntu Trusty) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gnupg in Ubuntu. https://bugs.launchpad.net/bugs/1409117 Title: GPG does not verify keys received when using --recv-keys leaving communicaiton with key servers vulnerable to MITM Status in GNU Privacy Guard: Fix Released Status in gnupg package in Ubuntu: Fix Released Status in gnupg2 package in Ubuntu: Fix Released Status in gnupg source package in Lucid: Confirmed Status in gnupg2 source package in Lucid: Confirmed Status in gnupg source package in Precise: Fix Released Status in gnupg2 source package in Precise: Fix Released Status in gnupg source package in Trusty: Fix Released Status in gnupg2 source package in Trusty: Fix Released Status in gnupg source package in Utopic: Fix Released Status in gnupg2 source package in Utopic: Fix Released Status in gnupg source package in Vivid: Fix Released Status in gnupg2 source package in Vivid: Fix Released Status in gnupg package in Debian: Fix Released Bug description: The patch from http://bugs.gnupg.org/gnupg/issue1579 is critical and should be backported to 12.04; right now, it is not. This leaves 12.04 users of GPG2 vulnerable to MITM attacks on gpg2 --recv-keys. See https://evil32.com/ for an example (the text that is striked out; the gpg2 package on 12.04 is still vulnerable). To manage notifications about this bug go to: https://bugs.launchpad.net/gnupg/+bug/1409117/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp