Security Information / 2014 / Security Information -- DSA-3024-1 gnupg

Debian Security Advisory

DSA-3024-1 gnupg -- security update

Date Reported:

11 Sep 2014

Affected Packages:

gnupg

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 725411.
In Mitre's CVE dictionary: CVE-2014-5270.

More information:

Genkin, Pipman and Tromer discovered a side-channel attack on Elgamal encryption subkeys (CVE-2014-5270).

In addition, this update hardens GnuPG's behaviour when treating keyserver responses; GnuPG now filters keyserver responses to only accepts those keyid's actually requested by the user.

For the stable distribution (wheezy), this problem has been fixed in version 1.4.12-7+deb7u6.

For the testing (jessie) and unstable distribution (sid), this problem has been fixed in version 1.4.18-4.

We recommend that you upgrade your gnupg packages.