Debian Security Advisory
DLA-2862-1 python-gnupg -- LTS security update
- Date Reported:
- 29 Dec 2021
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2018-12020, CVE-2019-6690.
- More information:
A couple of vulnerabilites were found in python-gnupg, a Python wrapper for the GNU Privacy Guard.
Marcus Brinkmann discovered that GnuPG before 2.2.8 improperly handled certain command line parameters. A remote attacker could use this to spoof the output of GnuPG and cause unsigned e-mail to appear signed.
It was discovered that python-gnupg incorrectly handled the GPG passphrase. A remote attacker could send a specially crafted passphrase that would allow them to control the output of encryption and decryption operations.
For Debian 9 stretch, these problems have been fixed in version 0.3.9-1+deb9u1.
We recommend that you upgrade your python-gnupg packages.
For the detailed security status of python-gnupg please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-gnupg
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS