Debian Security Advisory

DLA-2862-1 python-gnupg -- LTS security update

Date Reported:
29 Dec 2021
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2018-12020, CVE-2019-6690.
More information:

A couple of vulnerabilites were found in python-gnupg, a Python wrapper for the GNU Privacy Guard.

  • CVE-2018-12020

    Marcus Brinkmann discovered that GnuPG before 2.2.8 improperly handled certain command line parameters. A remote attacker could use this to spoof the output of GnuPG and cause unsigned e-mail to appear signed.

  • CVE-2019-6690

    It was discovered that python-gnupg incorrectly handled the GPG passphrase. A remote attacker could send a specially crafted passphrase that would allow them to control the output of encryption and decryption operations.

For Debian 9 stretch, these problems have been fixed in version 0.3.9-1+deb9u1.

We recommend that you upgrade your python-gnupg packages.

For the detailed security status of python-gnupg please refer to its security tracker page at:

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: