| Package | gnupg2 |
|---|---|
| Version | 2.0.26-6+deb8u3 (jessie), 2.1.18-8~deb9u5 (stretch) |
| Related CVEs | CVE-2018-9234 CVE-2022-34903 |
CVE-2022-34903
Demi Marie Obenour discovered a flaw in GnuPG, allowing for signature
spoofing via arbitrary injection into the status line. An attacker who
controls the secret part of any signing-capable key or subkey in the
victim's keyring, can take advantage of this flaw to provide a
correctly-formed signature that some software, including gpgme, will
accept to have validity and signer fingerprint chosen from the attacker.
CVE-2018-9234
GnuPG does not enforce a configuration in which key certification requires an
offline master Certify key, which results in apparently valid certifications
that occurred only with access to a signing subkey.
For Debian 8 jessie, these problems have been fixed in version 2.0.26-6+deb8u3.
For Debian 9 stretch, these problems have been fixed in version 2.1.18-8~deb9u5.
We recommend that you upgrade your gnupg2 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.