========================================================================== Ubuntu Security Notice USN-3675-1 June 11, 2018 gnupg, gnupg2 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS - Ubuntu 17.10 - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in GnuPG. Software Description: - gnupg2: GNU privacy guard - a free PGP replacement - gnupg: GNU privacy guard - a free PGP replacement Details: Marcus Brinkmann discovered that during decryption or verification, GnuPG did not properly filter out terminal sequences when reporting the original filename. An attacker could use this to specially craft a file that would cause an application parsing GnuPG output to incorrectly interpret the status of the cryptographic operation reported by GnuPG. (CVE-2018-12020) Lance Vick discovered that GnuPG did not enforce configurations where key certification required an offline master Certify key. An attacker with access to a signing subkey could generate certifications that appeared to be valid. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-9234) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS: gnupg 2.2.4-1ubuntu1.1 gpg 2.2.4-1ubuntu1.1 Ubuntu 17.10: gnupg 2.1.15-1ubuntu8.1 Ubuntu 16.04 LTS: gnupg 1.4.20-1ubuntu3.2 Ubuntu 14.04 LTS: gnupg 1.4.16-1ubuntu2.5 In general, a standard system update will make all the necessary changes. References: https://usn.ubuntu.com/usn/usn-3675-1 CVE-2018-12020, CVE-2018-9234 Package Information: https://launchpad.net/ubuntu/+source/gnupg2/2.2.4-1ubuntu1.1 https://launchpad.net/ubuntu/+source/gnupg2/2.1.15-1ubuntu8.1 https://launchpad.net/ubuntu/+source/gnupg/1.4.20-1ubuntu3.2 https://launchpad.net/ubuntu/+source/gnupg/1.4.16-1ubuntu2.5