Debian Long Term Support / LTS Security Information / 2014 / Security Information -- DLA-54-1 gnupg

Debian Security Advisory

DLA-54-1 gnupg -- LTS security update

Date Reported:

14 Sep 2014

Affected Packages:

gnupg

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2014-5270.

More information:

Genkin, Pipman and Tromer discovered a side-channel attack on Elgamal encryption subkeys (CVE-2014-5270).

In addition, this update hardens GnuPG's behaviour when treating keyserver responses; GnuPG now filters keyserver responses to only accepts those keyids actually requested by the user.

For Debian 6 Squeeze, these issues have been fixed in gnupg version 1.4.10-4+squeeze6