-
gnupg2 (2.0.22-3ubuntu1.4) trusty-security; urgency=medium
* SECURITY UPDATE: missing sanitization of verbose output
- debian/patches/CVE-2018-12020.patch: Sanitize diagnostic with
the original file name.
- CVE-2018-12020
-- Steve Beattie <email address hidden> Thu, 14 Jun 2018 11:05:25 -0700
-
gnupg2 (2.0.22-3ubuntu1.3) trusty-security; urgency=medium
* Screen responses from keyservers (LP: #1409117)
- d/p/0001-Screen-keyserver-responses.patch
- d/p/0002-Make-screening-of-keyserver-result-work-with-multi-k.patch
- d/p/0003-Add-kbnode_t-for-easier-backporting.patch
- d/p/0004-gpg-Fix-regression-due-to-the-keyserver-import-filte.patch
* Fix large key size regression from CVE-2014-5270 changes (LP: #1371766)
- d/p/Add-build-and-runtime-support-for-larger-RSA-key.patch
- debian/rules: build with --enable-large-secmem
* SECURITY UPDATE: invalid memory read via invalid keyring
- debian/patches/CVE-2015-1606.patch: skip all packets not allowed in
a keyring in g10/keyring.c.
- CVE-2015-1606
* SECURITY UPDATE: memcpy with overlapping ranges
- debian/patches/CVE-2015-1607.patch: use inline functions to convert
buffer data to scalars in common/iobuf.c, g10/build-packet.c,
g10/getkey.c, g10/keyid.c, g10/main.h, g10/misc.c,
g10/parse-packet.c, g10/tdbio.c, g10/trustdb.c, include/host2net.h,
kbx/keybox-dump.c, kbx/keybox-openpgp.c, kbx/keybox-search.c,
kbx/keybox-update.c, scd/apdu.c, scd/app-openpgp.c,
scd/ccid-driver.c, scd/pcsc-wrapper.c, tools/ccidmon.c.
- CVE-2015-1607
-- Marc Deslauriers <email address hidden> Fri, 27 Mar 2015 08:18:55 -0400
-
gnupg2 (2.0.22-3ubuntu1.1) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service via uncompressing garbled packets
- debian/patches/CVE-2014-4617.patch: limit number of extra bytes in
g10/compress.c.
- CVE-2014-4617
-- Marc Deslauriers <email address hidden> Thu, 26 Jun 2014 09:18:35 -0400
-
gnupg2 (2.0.22-3ubuntu1) trusty; urgency=medium
* Merge from Debian, remaining changes:
- Drop sh prefix from openpgp test environment as it leads to exec
invocations of sh /bin/bash leading to syntax errors from sh. Fixes
FTBFS detected in Ubuntu saucy archive rebuild.
- Add udev rules to give gpg access to some smartcard readers;
Debian #543217.
- debian/gnupg2.udev: udev rules to set ACLs on SCM smartcard readers.
- Add upstart user job for gpg-agent.
gnupg2 (2.0.22-3) unstable; urgency=low
* debian/watch, debian/upstream-signing-key.pgp: Add upstream signing
key for uscan verification.
* debian/kbxutil.1, debian/rules: Add better description and regenerate
the manpage.
* debian/control: Remove version on gpg-idea conflict, add missing
Breaks for gpgsm and convert Conflicts to Breaks for gpgv2.
* debian/control: Move gnupg-agent to Depends for gpgsm instead of
Replaces (which in turn should have been Recommends).
* debian/control: Standards-Version to 3.9.5.
* debian/copyright: Switch to a shiny DEP-5 copyright file.
gnupg2 (2.0.22-2) unstable; urgency=low
* debian/control: Fix Build-Conflicts on newer automakes. Thanks Chris
Boot. (Closes: #726015)
* debian/control: IDEA is no longer patented, drop its metion from the
description. Thanks brian m. carlson. (Closes: #726139)
* debian/rules: Disable the test suite on mips and mipsel to work around
Bug:#730846.
-- Dimitri John Ledkov <email address hidden> Wed, 19 Feb 2014 15:08:39 +0000
-
gnupg2 (2.0.22-1ubuntu1) trusty; urgency=low
* Merge from Debian, remaining changes:
- Drop sh prefix from openpgp test environment as it leads to exec
invocations of sh /bin/bash leading to syntax errors from sh. Fixes
FTBFS detected in Ubuntu saucy archive rebuild.
- Add udev rules to give gpg access to some smartcard readers;
Debian #543217.
- debian/gnupg2.udev: udev rules to set ACLs on SCM smartcard readers.
- Add upstart user job for gpg-agent.
gnupg2 (2.0.22-1) unstable; urgency=low
* New upstream version. Fixes CVE-2013-4402 and CVE-2013-4351. (Closes:
#725433, #722724)
* debian/gnupg2.install: Install gnupg-card-architecture.png for the
info file.
gnupg2 (2.0.21-2) unstable; urgency=low
* debian/rules, debian/gnupg2.install: Switch libexecdir to
/usr/lib/gnupg2 to install helper binaries to a non-multiarch specific
location. (Closes: #717303)
* debian/control, debian/gpgv2.install: Split out gpgv2 into its own
package.
* debian/control, debian/gnupg2.install, debian/kbxutil.1: Add rule and
manpage for kbxutil using help2man. (Closes: #323494)
* debian/patches/02-gpgv2-dont-link-libassuan.diff: Don't link gpgv2
against libassuan as it's not used.
* debian/rules: Install changelog for gpgv2.
gnupg2 (2.0.21-1) unstable; urgency=low
* New upstream release. (Closes: #613465, #720369)
* debian/patches/01-gnupg2-rename.diff: Refresh patch.
* debian/control: Fix Vcs-Git path.
* debian/control: Now depends on libgpg-error >= 1.11.
* debian/control: Build-Depends on automake1.11 since the test suite
fails on newer versions. (Closes: #713287)
* debian/control: Also need a Build-Conflicts on automake (<= 1.12).
-- Dmitrijs Ledkovs <email address hidden> Fri, 01 Nov 2013 22:15:05 +0000
-
gnupg2 (2.0.20-1ubuntu3) saucy; urgency=low
* SECURITY UPDATE: incorrect no-usage-permitted flag handling
- debian/patches/CVE-2013-4351.patch: correctly handle empty key flags
in g10/getkey.c, g10/keygen.c, include/cipher.h.
- CVE-2013-4351
* SECURITY UPDATE: denial of service via infinite recursion
- debian/patches/CVE-2013-4402.patch: set limits on number of filters
and nested packets in common/iobuf.c, g10/mainproc.c.
- CVE-2013-4402
-- Marc Deslauriers <email address hidden> Mon, 07 Oct 2013 15:38:03 -0400
