Debian Security Advisory
DSA-3024-1 gnupg -- security update
- Date Reported:
- 11 Sep 2014
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 725411.
In Mitre's CVE dictionary: CVE-2014-5270.
- More information:
Genkin, Pipman and Tromer discovered a side-channel attack on Elgamal encryption subkeys (CVE-2014-5270).
In addition, this update hardens GnuPG's behaviour when treating keyserver responses; GnuPG now filters keyserver responses to only accepts those keyid's actually requested by the user.
For the stable distribution (wheezy), this problem has been fixed in version 1.4.12-7+deb7u6.
For the testing (jessie) and unstable distribution (sid), this problem has been fixed in version 1.4.18-4.
We recommend that you upgrade your gnupg packages.