gnupg2 security update

2010-08-0611:35:05

CentOS Project

lists.centos.org

CVSS2

5.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.127

Percentile

95.5%

JSON

CentOS Errata and Security Advisory CESA-2010:0603

The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and
creating digital signatures, compliant with the proposed OpenPGP Internet
standard and the S/MIME standard.

A use-after-free flaw was found in the way gpgsm, a Cryptographic Message
Syntax (CMS) encryption and signing tool, handled X.509 certificates with
a large number of Subject Alternate Names. A specially-crafted X.509
certificate could, when imported, cause gpgsm to crash or, possibly,
execute arbitrary code. (CVE-2010-2547)

All gnupg2 users should upgrade to this updated package, which contains a
backported patch to correct this issue.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2010-August/079030.html
https://lists.centos.org/pipermail/centos-announce/2010-August/079031.html

Affected packages:
gnupg2

Upstream details at:
https://access.redhat.com/errata/RHSA-2010:0603

OSVersionArchitecturePackageVersionFilename
CentOS5i386gnupg2< 2.0.10-3.el5_5.1gnupg2-2.0.10-3.el5_5.1.i386.rpm
CentOS5x86_64gnupg2< 2.0.10-3.el5_5.1gnupg2-2.0.10-3.el5_5.1.x86_64.rpm