gpg2-2.1.16-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10102-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z gpg2-2.1.16-1.1 on GA media These are all security issues fixed in the gpg2-2.1.16-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10102 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2010-2547/ SUSE CVE CVE-2010-2547 page https://www.suse.com/security/cve/CVE-2013-4351/ SUSE CVE CVE-2013-4351 page https://www.suse.com/security/cve/CVE-2013-4402/ SUSE CVE CVE-2013-4402 page https://www.suse.com/security/cve/CVE-2014-4617/ SUSE CVE CVE-2014-4617 page openSUSE Tumbleweed gpg2-2.1.16-1.1 gpg2-lang-2.1.16-1.1 gpg2-2.1.16-1.1 as a component of openSUSE Tumbleweed gpg2-lang-2.1.16-1.1 as a component of openSUSE Tumbleweed Use-after-free vulnerability in kbx/keybox-blob.c in GPGSM in GnuPG 2.x through 2.0.16 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a certificate with a large number of Subject Alternate Names, which is not properly handled in a realloc operation when importing the certificate or verifying its signature. CVE-2010-2547 openSUSE Tumbleweed:gpg2-2.1.16-1.1 openSUSE Tumbleweed:gpg2-lang-2.1.16-1.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-2547.html CVE-2010-2547 https://bugzilla.suse.com/625947 SUSE Bug 625947 GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey. CVE-2013-4351 openSUSE Tumbleweed:gpg2-2.1.16-1.1 openSUSE Tumbleweed:gpg2-lang-2.1.16-1.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-4351.html CVE-2013-4351 https://bugzilla.suse.com/840510 SUSE Bug 840510 The compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message. CVE-2013-4402 openSUSE Tumbleweed:gpg2-2.1.16-1.1 openSUSE Tumbleweed:gpg2-lang-2.1.16-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-4402.html CVE-2013-4402 https://bugzilla.suse.com/844175 SUSE Bug 844175 https://bugzilla.suse.com/941439 SUSE Bug 941439 The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence. CVE-2014-4617 openSUSE Tumbleweed:gpg2-2.1.16-1.1 openSUSE Tumbleweed:gpg2-lang-2.1.16-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-4617.html CVE-2014-4617 https://bugzilla.suse.com/884130 SUSE Bug 884130 https://bugzilla.suse.com/962098 SUSE Bug 962098