Mandriva Linux Security Advisory : gnupg (MDVSA-2013:247)

This script is Copyright (C) 2013 Tenable Network Security, Inc.


Synopsis :

The remote Mandriva Linux host is missing one or more security
updates.

Description :

Multiple vulnerabilities has been discovered and corrected in gnupg :

GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all
bits cleared (no usage permitted) as if it has all bits set (all usage
permitted), which might allow remote attackers to bypass intended
cryptographic protection mechanisms by leveraging the subkey
(CVE-2013-4351).

Special crafted input data may be used to cause a denial of service
against GPG. GPG can be forced to recursively parse certain parts of
OpenPGP messages ad infinitum (CVE-2013-4402).

The updated packages have been patched to correct this issue.

See also :

http://advisories.mageia.org/MGASA-2013-0299.html
http://advisories.mageia.org/MGASA-2013-0303.html
http://lists.gnu.org/archive/html/info-gnu/2013-10/msg00002.html
http://lists.gnu.org/archive/html/info-gnu/2013-10/msg00003.html

Solution :

Update the affected gnupg and / or gnupg2 packages.

Risk factor :

Medium / CVSS Base Score : 5.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N)

Family: Mandriva Local Security Checks

Nessus Plugin ID: 70383 ()

Bugtraq ID:

CVE ID: CVE-2013-4351
CVE-2013-4402

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now