Executive Summary
Summary | |
---|---|
Title | gnupg security update |
Informations | |||
---|---|---|---|
Name | DSA-2774 | First vendor Publication | 2013-10-10 |
Vendor | Debian | Last vendor Modification | 2013-10-10 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 5.8 | Attack Range | Network |
Cvss Impact Score | 4.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Two vulnerabilities were discovered in GnuPG 2, the GNU privacy guard, a free PGP replacement. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-4351 When a key or subkey had its "key flags" subpacket set to all bits off, GnuPG currently would treat the key as having all bits set. That is, where the owner wanted to indicate "no use permitted", GnuPG would interpret it as "all use permitted". Such "no use permitted" keys are rare and only used in very special circumstances. CVE-2013-4402 Infinite recursion in the compressed packet parser was possible with crafted input data, which may be used to cause a denial of service. For the oldstable distribution (squeeze), these problems have been fixed in version 2.0.14-2+squeeze2. For the stable distribution (wheezy), these problems have been fixed in version 2.0.19-2+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 2.0.22-1. We recommend that you upgrade your gnupg2 packages. |
Original Source
Url : http://www.debian.org/security/2013/dsa-2774 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-310 | Cryptographic Issues |
50 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:19160 | |||
Oval ID: | oval:org.mitre.oval:def:19160 | ||
Title: | USN-1987-1 -- gnupg, gnupg2 vulnerabilities | ||
Description: | Several security issues were fixed in GnuPG. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1987-1 CVE-2013-4351 CVE-2013-4402 | Version: | 5 |
Platform(s): | Ubuntu 13.04 Ubuntu 12.10 Ubuntu 12.04 Ubuntu 10.04 | Product(s): | gnupg gnupg2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:19904 | |||
Oval ID: | oval:org.mitre.oval:def:19904 | ||
Title: | DSA-2773-1 gnupg - several | ||
Description: | Two vulnerabilities were discovered in GnuPG, the GNU privacy guard, a free PGP replacement. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2773-1 CVE-2013-4351 CVE-2013-4402 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | gnupg |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20090 | |||
Oval ID: | oval:org.mitre.oval:def:20090 | ||
Title: | DSA-2774-1 gnupg2 - several | ||
Description: | Two vulnerabilities were discovered in GnuPG 2, the GNU privacy guard, a free PGP replacement. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2774-1 CVE-2013-4351 CVE-2013-4402 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | gnupg2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20690 | |||
Oval ID: | oval:org.mitre.oval:def:20690 | ||
Title: | RHSA-2013:1459: gnupg2 security update (Moderate) | ||
Description: | The compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2013:1459-00 CESA-2013:1459 CVE-2012-6085 CVE-2013-4351 CVE-2013-4402 | Version: | 45 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 CentOS Linux 5 CentOS Linux 6 | Product(s): | gnupg2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20833 | |||
Oval ID: | oval:org.mitre.oval:def:20833 | ||
Title: | RHSA-2013:1458: gnupg security update (Moderate) | ||
Description: | The compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2013:1458-00 CESA-2013:1458 CVE-2012-6085 CVE-2013-4242 CVE-2013-4351 CVE-2013-4402 | Version: | 59 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | gnupg |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23451 | |||
Oval ID: | oval:org.mitre.oval:def:23451 | ||
Title: | ELSA-2013:1458: gnupg security update (Moderate) | ||
Description: | The compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:1458-00 CVE-2012-6085 CVE-2013-4242 CVE-2013-4351 CVE-2013-4402 | Version: | 21 |
Platform(s): | Oracle Linux 5 | Product(s): | gnupg |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23470 | |||
Oval ID: | oval:org.mitre.oval:def:23470 | ||
Title: | DEPRECATED: ELSA-2013:1459: gnupg2 security update (Moderate) | ||
Description: | The compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:1459-00 CVE-2012-6085 CVE-2013-4351 CVE-2013-4402 | Version: | 18 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | gnupg2 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23894 | |||
Oval ID: | oval:org.mitre.oval:def:23894 | ||
Title: | ELSA-2013:1459: gnupg2 security update (Moderate) | ||
Description: | The compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:1459-00 CVE-2012-6085 CVE-2013-4351 CVE-2013-4402 | Version: | 17 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | gnupg2 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:25288 | |||
Oval ID: | oval:org.mitre.oval:def:25288 | ||
Title: | SUSE-SU-2013:1576-1 -- Security update for gpg2 | ||
Description: | This GnuPG update fixes two security issues: * CVE-2013-4351: GnuPG treated no-usage-permitted keys as all-usages-permitted. * CVE-2013-4402: An infinite recursion in the compressed packet parser was fixed. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:1576-1 CVE-2013-4351 CVE-2013-4402 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | gpg2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26955 | |||
Oval ID: | oval:org.mitre.oval:def:26955 | ||
Title: | DEPRECATED: ELSA-2013-1458 -- gnupg security update (moderate) | ||
Description: | [1.4.5-18] - fix CVE-2013-4351 gpg treats no-usage-permitted keys as all-usages-permitted [1.4.5-17] - fix CVE-2012-6085 GnuPG: read_block() corrupt key input validation - fix CVE-2013-4242 GnuPG susceptible to Yarom/Falkner side-channel attack - fix CVE-2013-4402 GnuPG: infinite recursion in the compressed packet parser [1.4.5-15] - fix error when decrypting certain files (#510500) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013-1458 CVE-2013-4242 CVE-2012-6085 CVE-2013-4351 CVE-2013-4402 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | gnupg |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27428 | |||
Oval ID: | oval:org.mitre.oval:def:27428 | ||
Title: | DEPRECATED: ELSA-2013-1459 -- gnupg2 security update (moderate) | ||
Description: | [2.0.14-6] - fix CVE-2013-4351 gpg treats no-usage-permitted keys as all-usages-permitted [2.0.14-5] - fix CVE-2012-6085 GnuPG: read_block() corrupt key input validation - fix CVE-2013-4402 GnuPG: infinite recursion in the compressed packet parser | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013-1459 CVE-2012-6085 CVE-2013-4351 CVE-2013-4402 | Version: | 4 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | gnupg2 |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-02-22 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL50413110.nasl - Type : ACT_GATHER_INFO |
2016-02-22 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL40131068.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_gnupg_20140731.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-736.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-716.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-758.nasl - Type : ACT_GATHER_INFO |
2014-02-23 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201402-24.nasl - Type : ACT_GATHER_INFO |
2013-11-14 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-237.nasl - Type : ACT_GATHER_INFO |
2013-11-14 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-236.nasl - Type : ACT_GATHER_INFO |
2013-11-13 | Name : The remote Fedora host is missing a security update. File : fedora_2013-18647.nasl - Type : ACT_GATHER_INFO |
2013-10-27 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-1459.nasl - Type : ACT_GATHER_INFO |
2013-10-27 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2013-1458.nasl - Type : ACT_GATHER_INFO |
2013-10-27 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2013-18814.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_gpg2-131008.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20131024_gnupg_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2013-1458.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-1459.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1458.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1459.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20131024_gnupg2_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-10-15 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2013-287-02.nasl - Type : ACT_GATHER_INFO |
2013-10-15 | Name : The remote Fedora host is missing a security update. File : fedora_2013-18866.nasl - Type : ACT_GATHER_INFO |
2013-10-15 | Name : The remote Fedora host is missing a security update. File : fedora_2013-18807.nasl - Type : ACT_GATHER_INFO |
2013-10-15 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2013-287-01.nasl - Type : ACT_GATHER_INFO |
2013-10-13 | Name : The remote Fedora host is missing a security update. File : fedora_2013-18676.nasl - Type : ACT_GATHER_INFO |
2013-10-11 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-247.nasl - Type : ACT_GATHER_INFO |
2013-10-11 | Name : The remote Fedora host is missing a security update. File : fedora_2013-18543.nasl - Type : ACT_GATHER_INFO |
2013-10-11 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2774.nasl - Type : ACT_GATHER_INFO |
2013-10-11 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2773.nasl - Type : ACT_GATHER_INFO |
2013-10-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1987-1.nasl - Type : ACT_GATHER_INFO |
2013-10-06 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_749b55872da111e3b1a9b499baab0cbe.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:32:14 |
|
2013-10-29 13:21:54 |
|
2013-10-10 21:26:13 |
|
2013-10-10 21:21:58 |
|