SUSE-SU-2014:0750-1: moderate: Security update for gpg2

sle-updates at sle-updates at
Tue Jun 3 17:04:13 MDT 2014

   SUSE Security Update: Security update for gpg2

Announcement ID:    SUSE-SU-2014:0750-1
Rating:             moderate
References:         #778723 #780943 #798465 #808958 #840510 #844175 
Affected Products:
                    SUSE Linux Enterprise Server 11 SP1 LTSS

   An update that contains security fixes can now be installed.


   This is a SLES 11 SP1 LTSS rollup update for gpg2.

   The following security issues have been fixed:

       * CVE-2013-4402: The compressed packet parser in GnuPG allowed remote
         attackers to cause a denial of service (infinite recursion) via a
         crafted OpenPGP message.
       * CVE-2013-4351: GnuPG treated a key flags subpacket with all bits
         cleared (no usage permitted) as if it has all bits set (all usage
         permitted), which might have allowed remote attackers to bypass
         intended cryptographic protection mechanisms by leveraging the
       * CVE-2012-6085: The read_block function in g10/import.c in GnuPG,
         when importing a key, allowed remote attackers to corrupt the public
         keyring database or cause a denial of service (application crash)
         via a crafted length field of an OpenPGP packet.

   Also the following non-security bugs have been fixed:

       * set the umask before opening a file for writing (bnc#780943)
       * select proper ciphers when running in FIPS mode (bnc#808958)
       * add missing options to opts table (bnc#778723)

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 11 SP1 LTSS:

      zypper in -t patch slessp1-gpg2-9124

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64):



More information about the sle-updates mailing list