Security update for gpg2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2015:2171-2 Final 1 1 2015-12-22T07:44:34Z current 2015-12-22T07:44:34Z 2015-12-22T07:44:34Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for gpg2 The gpg2 package was updated to fix the following security and non security issues: - CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089). - CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090). - bsc#955753: Fixed a regression of 'gpg --recv' due to keyserver import filter (also boo#952347). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-DESKTOP-12-SP1-2015-922,SUSE-SLE-SERVER-12-SP1-2015-922 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2015/suse-su-20152171-2/ Link for SUSE-SU-2015:2171-2 https://lists.suse.com/pipermail/sle-security-updates/2015-December/001753.html E-Mail link for SUSE-SU-2015:2171-2 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/918089 SUSE Bug 918089 https://bugzilla.suse.com/918090 SUSE Bug 918090 https://bugzilla.suse.com/952347 SUSE Bug 952347 https://bugzilla.suse.com/955753 SUSE Bug 955753 https://www.suse.com/security/cve/CVE-2015-1606/ SUSE CVE CVE-2015-1606 page https://www.suse.com/security/cve/CVE-2015-1607/ SUSE CVE CVE-2015-1607 page SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP1 gpg2-2.0.24-3.2 gpg2-lang-2.0.24-3.2 gpg2-2.0.24-3.2 as a component of SUSE Linux Enterprise Desktop 12 SP1 gpg2-lang-2.0.24-3.2 as a component of SUSE Linux Enterprise Desktop 12 SP1 gpg2-2.0.24-3.2 as a component of SUSE Linux Enterprise Server 12 SP1 gpg2-lang-2.0.24-3.2 as a component of SUSE Linux Enterprise Server 12 SP1 gpg2-2.0.24-3.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 gpg2-lang-2.0.24-3.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 The keyring DB in GnuPG before 2.1.2 does not properly handle invalid packets, which allows remote attackers to cause a denial of service (invalid read and use-after-free) via a crafted keyring file. CVE-2015-1606 SUSE Linux Enterprise Desktop 12 SP1:gpg2-2.0.24-3.2 SUSE Linux Enterprise Desktop 12 SP1:gpg2-lang-2.0.24-3.2 SUSE Linux Enterprise Server 12 SP1:gpg2-2.0.24-3.2 SUSE Linux Enterprise Server 12 SP1:gpg2-lang-2.0.24-3.2 SUSE Linux Enterprise Server for SAP Applications 12 SP1:gpg2-2.0.24-3.2 SUSE Linux Enterprise Server for SAP Applications 12 SP1:gpg2-lang-2.0.24-3.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20152171-2/ https://www.suse.com/security/cve/CVE-2015-1606.html CVE-2015-1606 https://bugzilla.suse.com/918089 SUSE Bug 918089 kbx/keybox-search.c in GnuPG before 1.4.19, 2.0.x before 2.0.27, and 2.1.x before 2.1.2 does not properly handle bitwise left-shifts, which allows remote attackers to cause a denial of service (invalid read operation) via a crafted keyring file, related to sign extensions and "memcpy with overlapping ranges." CVE-2015-1607 SUSE Linux Enterprise Desktop 12 SP1:gpg2-2.0.24-3.2 SUSE Linux Enterprise Desktop 12 SP1:gpg2-lang-2.0.24-3.2 SUSE Linux Enterprise Server 12 SP1:gpg2-2.0.24-3.2 SUSE Linux Enterprise Server 12 SP1:gpg2-lang-2.0.24-3.2 SUSE Linux Enterprise Server for SAP Applications 12 SP1:gpg2-2.0.24-3.2 SUSE Linux Enterprise Server for SAP Applications 12 SP1:gpg2-lang-2.0.24-3.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20152171-2/ https://www.suse.com/security/cve/CVE-2015-1607.html CVE-2015-1607 https://bugzilla.suse.com/918090 SUSE Bug 918090