—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

– ————————————————————————-
Debian Security Advisory DSA-4224-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 08, 2018 https://www.debian.org/security/faq
– ————————————————————————-

Package : gnupg
CVE ID : CVE-2018-12020

Marcus Brinkmann discovered that GnuGPG performed insufficient
sanitisation of file names displayed in status messages, which could be
abused to fake the verification status of a signed email.

Details can be found in the upstream advisory at
https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html

For the oldstable distribution (jessie), this problem has been fixed
in version 1.4.18-7+deb8u5.

We recommend that you upgrade your gnupg packages.

For the detailed security status of gnupg please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/gnupg

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
—–BEGIN PGP SIGNATURE—–

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsa+NFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RlwA/+PHaY6JTa53Q9gM9MMbEV9aJ3aXvl3VAvu4EC8Ei/rxZH0kIOO25aL+Yc
DsXwWmLl2FWuwLCRQ2HPsDuWLiNiuo4eAwM3pKg5vovAe4TbGLhd7VaSdTWa+PVj
3WwIgkZvOddPlR7saq48Lcc0taZAZwR1hQCS5bPDUzUhlzc2yMy+pi/oXioTvBxm
xOd4899wWcuRpfiZBss6veONbnf12zq/H3aCJshZrIGKxU8b7Fc+Oyq+QyK4B6sO
zMo134gF1M3HhjUxPjauX9keJe6/EMFHgjwQpA96JkNoKi96wWx31oBBJwHmLhRY
tl0FaXsBuQbZNWDU+QLbH6g2r90uuOsDHK9oY8SKIHN92/s1zW4pv2rbmcmHMPrV
oyabPZL10eH3wGf9NJAGhSO1vHOARdGJ2N3KL1AaIWLNfgXLt8QO+IH7OY3S04Y9
/sw89ojtrwIjcLpQ2DJ56Wd0LU/Jc0pNXUeEjkXthPD2VGKCYZm55yhDA5fKvBqo
m1BeKMN1qf64c40ZXq3uxV8xnt9yaFMXtX9FMZnigS7doiJhcCjggGZvzbIFoWLE
mhsDfST65Sbb9RE8q4V+tl14ssOFsQLhwByl3UzY89GpILU1qwnDyaQ2QgBI4Z18
oDQfpFkwka4Yy0iy8iqdi+DPN/VWBiIoC63ouO9MOU4rA8/VrNY=
=WGe/
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

– ————————————————————————-
Debian Security Advisory DSA-4223-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 08, 2018 https://www.debian.org/security/faq
– ————————————————————————-

Package : gnupg1
CVE ID : CVE-2018-12020
Debian Bug : 901088

Marcus Brinkmann discovered that GnuGPG performed insufficient
sanitisation of file names displayed in status messages, which could be
abused to fake the verification status of a signed email.

Details can be found in the upstream advisory at
https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html

For the stable distribution (stretch), this problem has been fixed in
version 1.4.21-4+deb9u1.

We recommend that you upgrade your gnupg1 packages.

For the detailed security status of gnupg1 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/gnupg1

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
—–BEGIN PGP SIGNATURE—–

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsa+M9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Q1wg/+LcbFthhjHEXY0itTJrfbXHvqR8JQ7OzEA+yRybho71ZM3LwjFO2Pl9j0
oNbn20soT5uX1MfP4sORaiOMIUKh2k4zbYQrS4BRV7TWoae3zmHQEhDFfhEhM17O
JMnh3NqVs1NpNe7gn1+hBQCzlOmNYU3UvmXwCX3P5yyhSuO6isvLfZURHQB8qvmd
RdNZu3nUYI8UfPp1j6wFrdR+rpUUATYy2MHZkD/BbVowk657Bul5Arx/r0QCaH88
ywMGMGvugsVQOdA02cKvCyzXVS/qgVjDsJH2ssDFPI4txKB3hEgYTBoKyoFpzHqc
I7BOuDmo6/FpUuuruQcRPQk+5BDeiW2jazwf8WoCXYocwOAw7FTTLTEkZZm2Ce+c
jtM7Bvhz3cXoQsTtze/t/BTWZuUWATsiRPgJSyKF2kPFwZIWhLu2BWF8LTGliX9M
8uXxi4ml1v2ISLlo8BEkETBrP+m77rKqfph0uV3sySXBv2qUDfJX2xNF/ig4eMfy
zlIaZgv82ZIf+mCD0/Ji0HmsKG3C8RxEhwwr4R/oG7Q7qr07LMjKZhRLIE2ZkCC2
XM8IAdJLIzJckllI8mkPmm0GTZ6lX+BRrUSUKxKxY94QKNLRFzK7mMMWhJq3gMX8
PaYsTU67ZrDd4WPubFNzHC6DP+Fd4YZblXd8dyv1uSoe1/pIr78=
=xHpn
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

– ————————————————————————-
Debian Security Advisory DSA-4222-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 08, 2018 https://www.debian.org/security/faq
– ————————————————————————-

Package : gnupg2
CVE ID : CVE-2018-12020

Marcus Brinkmann discovered that GnuGPG performed insufficient
sanitisation of file names displayed in status messages, which could be
abused to fake the verification status of a signed email.

Details can be found in the upstream advisory at
https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html

For the oldstable distribution (jessie), this problem has been fixed
in version 2.0.26-6+deb8u2.

For the stable distribution (stretch), this problem has been fixed in
version 2.1.18-8~deb9u2.

We recommend that you upgrade your gnupg2 packages.

For the detailed security status of gnupg2 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/gnupg2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
—–BEGIN PGP SIGNATURE—–

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsa+MZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Sj/Q//S9O9UEDpOL16FPrsYWFohmcoDPspWHyACdFxoGOxJTZxDjDS6IsLuLu7
uSsSNyW1nQt1ghxuKO+XGEHfxMiPh54BdGf1w4PtUUw/1m9uQrlMsuyYGo2O4lMx
NvpxN+IVKbKhDYHknH4f59KBv4cVZuLK6R2vuAidUmEoY0H+IEWmwdQxqRommUNh
HYziSdcQgFEqWZ6HThqWPqJbvTHk3rX4viezex6TxfXBX88RgfHgxSLEV7xkJkHi
X2oM3kEylacb53p3wlXrtpvTwXheIPvquIgOF8LIRGlMk2Hjz+I0jVYPZQL9Pz87
+PmJ2pmTtYFK6FI3LZcxs2JOuUKKEOSv7U7WkRb40tSDlY0mD1DgGghiYuL7tPid
NbBRIKsrkvDGfvb1nL54QJ4Ej1J7yeYglxIoF7DW9l7bWgyIZfaIU0VesU9UpQUq
YX/iQi1Pt/y6ZCuRlAF2Xg9VLKW/94HWYdD8KKOc8113JeJnlcEOmYDBjbsIdSuK
R3hHVoKhZD+oDA2Hww/pDKeow0/9F6Zd/pxSZXxVcVvcT59y7T9XW18f0efZcBHf
T2V019/YkYN2RasgDjjw1r1OOjitQn5ktvbdZfNW9BXq8NJiwLd99A3coLZx1GTv
+Fl4up+v2d/zUKSXtvLfUyWjqem/keT6PKSBN4g9a5VyKLOj3Js=
=2Ci/
—–END PGP SIGNATURE—–