SUSE-SU-2014:0750-1: moderate: Security update for gpg2

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Tue Jun 3 17:04:13 MDT 2014 

   SUSE Security Update: Security update for gpg2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2014:0750-1
Rating:             moderate
References:         #778723 #780943 #798465 #808958 #840510 #844175 
                    
Affected Products:
                    SUSE Linux Enterprise Server 11 SP1 LTSS
______________________________________________________________________________

   An update that contains security fixes can now be installed.

Description:


   This is a SLES 11 SP1 LTSS rollup update for gpg2.

   The following security issues have been fixed:

       * CVE-2013-4402: The compressed packet parser in GnuPG allowed remote
         attackers to cause a denial of service (infinite recursion) via a
         crafted OpenPGP message.
       * CVE-2013-4351: GnuPG treated a key flags subpacket with all bits
         cleared (no usage permitted) as if it has all bits set (all usage
         permitted), which might have allowed remote attackers to bypass
         intended cryptographic protection mechanisms by leveraging the
         subkey.
       * CVE-2012-6085: The read_block function in g10/import.c in GnuPG,
         when importing a key, allowed remote attackers to corrupt the public
         keyring database or cause a denial of service (application crash)
         via a crafted length field of an OpenPGP packet.

   Also the following non-security bugs have been fixed:

       * set the umask before opening a file for writing (bnc#780943)
       * select proper ciphers when running in FIPS mode (bnc#808958)
       * add missing options to opts table (bnc#778723)


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 11 SP1 LTSS:

      zypper in -t patch slessp1-gpg2-9124

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64):

      gpg2-2.0.9-25.33.37.6
      gpg2-lang-2.0.9-25.33.37.6


References:

   https://bugzilla.novell.com/778723
   https://bugzilla.novell.com/780943
   https://bugzilla.novell.com/798465
   https://bugzilla.novell.com/808958
   https://bugzilla.novell.com/840510
   https://bugzilla.novell.com/844175
   http://download.suse.com/patch/finder/?keywords=541ab699fd83742808f396e260b1da5d

More information about the sle-security-updates mailing list