| Description: | Summary:
The remote host is missing an update for the Debian 'python-gnupg' package(s) announced via the DLA-2862-1 advisory.
Vulnerability Insight:
A couple of vulnerabilities were found in python-gnupg, a Python wrapper for the GNU Privacy Guard.
CVE-2018-12020
Marcus Brinkmann discovered that GnuPG before 2.2.8 improperly handled certain command line parameters. A remote attacker could use this to spoof the output of GnuPG and cause unsigned e-mail to appear signed.
CVE-2019-6690
It was discovered that python-gnupg incorrectly handled the GPG passphrase. A remote attacker could send a specially crafted passphrase that would allow them to control the output of encryption and decryption operations.
For Debian 9 stretch, these problems have been fixed in version 0.3.9-1+deb9u1.
We recommend that you upgrade your python-gnupg packages.
For the detailed security status of python-gnupg please refer to its security tracker page at: [link moved to references]
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: [link moved to references]
Affected Software/OS:
'python-gnupg' package(s) on Debian 9.
Solution:
Please install the updated package(s).
CVSS Score:
5.0
CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N
|
