Branch c9f2 update bulletin.

Package libksba updated to version 1.6.3-alt1 for branch c9f2 in task 385350.

Published: 2022-10-18

BDU:2022-06395

Уязвимость библиотеки предоставляющей функции для работы с сертификатами X.509 LibKSBA, связанная с целочисленным переполнением в синтаксическом анализаторе CRL, позволяющая нарушителю выполнить произвольный код в целевой системе

Severity: HIGH (8.1) Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: HIGH (7.6) Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C

References:

CVE-2022-3515

Published: 2022-12-20

BDU:2022-07478

Severity: HIGH (8.1) Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: HIGH (7.6) Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C

References:

CVE-2022-47629

Published: 2023-01-12
Modified: 2025-04-08

CVE-2022-3515

A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Published: 2022-12-20
Modified: 2025-04-16

CVE-2022-47629

Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Package libgcrypt updated to version 1.10.2-alt2 for branch c9f2 in task 385350.

Published: 2021-09-17

BDU:2022-00593

Уязвимость криптографической библиотеки Libgcrypt, связанная с использованием слабых криптографических алгоритмов, позволяющая нарушителю получить доступ к конфиденциальной информации

Severity: MEDIUM (5.9) Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: MEDIUM (5.4) Vector: AV:N/AC:H/Au:N/C:C/I:N/A:N

References:

CVE-2021-40528

Published: 2021-06-08

BDU:2022-03136

Уязвимость криптографической библиотеки Libgcrypt, связанная с использованием слабого криптографического алгоритма. позволяющая нарушителю получить доступ к конфиденциальной информации

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: HIGH (7.8) Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N

References:

CVE-2021-33560

Published: 2021-06-08
Modified: 2024-11-21

CVE-2021-33560

Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.

Severity: MEDIUM (5.0) Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Published: 2021-09-06
Modified: 2025-06-09

CVE-2021-40528

The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.

Severity: LOW (2.6) Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N

Severity: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Прошу исправить версию

Package gnupg2 updated to version 2.2.36-alt0.c10.1 for branch c9f2 in task 385350.

Published: 2022-06-10

BDU:2023-03850

Уязвимость функции write_status_text_and_buffer компонента cpr.c программы для шифрования информации и создания электронных цифровых подписей GnuPG, позволяющая нарушителю получить доступ к конфиденциальным данным и нарушить их целостность

Severity: MEDIUM (6.5) Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Severity: HIGH (7.8) Vector: AV:N/AC:M/Au:N/C:C/I:P/A:N

References:

CVE-2022-34903

Published: 2022-07-01
Modified: 2024-11-21

CVE-2022-34903

GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.

Severity: MEDIUM (5.8) Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

References:

Скрипты для запуска gpg-agent устарели

Обновить gnupg2

gnupg2: restore setting GPG_TTY in profile.d

Version: 2.1.2

Branch c9f2 update on 2025-06-12

ALT-BU-2025-8040-1

ALT-PU-2025-7370-2

Closed vulnerabilities

BDU:2022-06395

BDU:2022-07478

CVE-2022-3515

CVE-2022-47629

ALT-PU-2025-7372-2

Closed vulnerabilities

BDU:2022-00593

BDU:2022-03136

CVE-2021-33560

CVE-2021-40528

Closed bugs

Bug #47806

ALT-PU-2025-7373-2

Closed vulnerabilities

BDU:2023-03850

CVE-2022-34903

Closed bugs

Bug #34418

Bug #39307

Bug #41509