Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#16772 closed enhancement (fixed)

gnupg-2.3.7

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: elevated Milestone: 11.2
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New point version

Contains a security fix for CVE-2022-34903 which can be used to inject wrong status information into signatures, or cause applications to crash. See the thread at https://seclists.org/oss-sec/2022/q3/9

Change History (4)

comment:1 by Douglas R. Reno, 3 years ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

Grab two more security updates.

comment:2 by Douglas R. Reno, 3 years ago 

Noteworthy changes in version 2.3.7 (2022-07-11)
------------------------------------------------

  * gpg: Fix possibly garbled status messages in NOTATION_DATA.  This
    bug could trick GPGME and other parsers to accept faked status
    lines.  [T6027, CVE-2022-34903]

  * gpg: Look up user ID to revoke by UID hash.  [T5936]

  * gpg: Setup the 'usage' filter property for export.  [rG7aabd94b81]

  * gpg,w32: Allow Unicode filenames for iobuf_cancel.  [rG4ee2009083]

  * gpg: Fix reading AEAD preference.  [T6019]

  * gpgsm: New option --compatibility-flags.  [rGf0b373cec9]

  * gpgsm: Rework the PKCS#12 parser to support DFN issued keys.
    [T6037]

  * agent: New option --no-user-trustlist and --sys-trustlist-name.
    [T5990]

  * agent: Pop up dialog window for confirmation, when specified so.
    [T5099]

  * agent: Show "Label:" field of private key when prompt the
    insertion.  [T5986]

  * agent: Handle USAGE information in KEYINFO.  [rG295a6a7591]

  * agent,ssh: Make not-inserted OpenPGP.3 keys available for SSH.
    [T5996]

  * agent,ssh: Support "Use-for-ssh" flag in private key.  [T5985]

  * agent: New field "Prompt" to prevent asking card key insertion.
    [T5987]

  * agent: Support --format=ssh option for READKEY.  [T6012]

  * agent: Add KEYATTR command.  [T5988]

  * agent: Flush before calling ftruncate.  [T6035]

  * agent: Do not consider --min-passphrase-len for the magic wand.
    [rGae2f1f0785]

  * kbx: Fix a race condition which results no status report.  [T5948]

  * scd:openpgp: Fix a segv for cards supporting unknown curves.
    [T5963]

  * scd:p15: Fix reading certificates without length info.

  * scd:p15: Improve the displayed S/N for Technology Nexus cards.

  * scd:openpgp: Add workaround for ECC attribute on Yubikey.  [T5963]

  * scd,piv: Fix status report of KEYPAIRINFO.  [rG64c8786105]

  * scd:nks: Support the Telesec ESIGN application.  [T5219, T4938]

  * scd: Fix use of SCardListReaders for PC/SC.  [T5979]

  * scd: Support automatic card selection for READCERT with keygrip.
    [T6003]

  * scd: Support specifying keygrip for learn command.  [T6002]

  * dirmngr: Fix for Windows when build against GNUTLS.  [T5899]

  * gpg-connect-agent: Add --unbuffered option.

  * gpg-connect-agent: Add a way to cancel an INQUIRE.  [T6010]

  * gpgconf: New short options -V and -X

  Release-info: https://dev.gnupg.org/T5947

comment:3 by Douglas R. Reno, 3 years ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.