Detections
Analytics

Debian DSA-2860-1 : parcimonie - information disclosure

high Nessus Plugin ID 72440

Language:

Synopsis

The remote Debian host is missing a security-related update.

Description

Holger Levsen discovered that parcimonie, a privacy-friendly helper to refresh a GnuPG keyring, is affected by a design problem that undermines the usefulness of this piece of software in the intended threat model.

When using parcimonie with a large keyring (1000 public keys or more), it would always sleep exactly ten minutes between two key fetches.
This can probably be used by an adversary who can watch enough key fetches to correlate multiple key fetches with each other, which is what parcimonie aims at protecting against. Smaller keyrings are affected to a smaller degree. This problem is slightly mitigated when using a HKP(s) pool as the configured GnuPG keyserver.

Solution

Upgrade the parcimonie packages.

For the stable distribution (wheezy), this problem has been fixed in version 0.7.1-1+deb7u1.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738134

https://packages.debian.org/source/wheezy/parcimonie

https://www.debian.org/security/2014/dsa-2860

Plugin Details

Severity: High

ID: 72440

File Name: debian_DSA-2860.nasl

Version: 1.9

Type: local

Agent: unix

Published: 2/12/2014

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:parcimonie, cpe:/o:debian:debian_linux:7.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 2/11/2014

Reference Information

CVE: CVE-2014-1921

BID: 65505

DSA: 2860