python36-python-gnupg-0.4.7-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11261 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python36-python-gnupg-0.4.7-1.2 on GA media These are all security issues fixed in the python36-python-gnupg-0.4.7-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11261 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11261 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-12020/ SUSE CVE CVE-2018-12020 page https://www.suse.com/security/cve/CVE-2019-6690/ SUSE CVE CVE-2019-6690 page openSUSE Tumbleweed python36-python-gnupg-0.4.7-1.2 python38-python-gnupg-0.4.7-1.2 python39-python-gnupg-0.4.7-1.2 python36-python-gnupg-0.4.7-1.2 as a component of openSUSE Tumbleweed python38-python-gnupg-0.4.7-1.2 as a component of openSUSE Tumbleweed python39-python-gnupg-0.4.7-1.2 as a component of openSUSE Tumbleweed mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes. CVE-2018-12020 openSUSE Tumbleweed:python36-python-gnupg-0.4.7-1.2 openSUSE Tumbleweed:python38-python-gnupg-0.4.7-1.2 openSUSE Tumbleweed:python39-python-gnupg-0.4.7-1.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12020.html CVE-2018-12020 https://bugzilla.suse.com/1096745 SUSE Bug 1096745 https://bugzilla.suse.com/1101134 SUSE Bug 1101134 python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component. CVE-2019-6690 openSUSE Tumbleweed:python36-python-gnupg-0.4.7-1.2 openSUSE Tumbleweed:python38-python-gnupg-0.4.7-1.2 openSUSE Tumbleweed:python39-python-gnupg-0.4.7-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-6690.html CVE-2019-6690 https://bugzilla.suse.com/1123498 SUSE Bug 1123498