Candidate: CVE-2019-13050 PublicDate: 2019-06-29 17:15:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050 https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html https://tech.michaelaltfield.net/2019/07/14/mitigating-poisoned-pgp-certificates/ Description: Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack. Ubuntu-Description: Notes: mdeslaur> this is a weakness in the PGP keyserver design. amurray| gnupg upstream has 2 mitigations for this - firstly, don't import key signatures by default anymore, and to fallback to only import self-signatures on very large keyblocks mdeslaur> as of 2020-01-06, there is no ideal fix for this issue mdeslaur> marking this CVE as deferred until a complete fix is available sbeattie> gnupg mitigations landed in upstream in 2.2.17 with important fixes in 2.2.18 sbeattie> 2.2.19-3ubuntu1 introduced a debian/ubuntu specific change to use keys.openpgp.org as the default keyserver sbeattie> any backports to address this issue will be complex and introduce changes in behavior sbeattie> sks in debian introduced very basic filtering in 1.1.6+git20210302.c3ba6d5a-1 rodrigo-zaiden> as of 2022-03-22, there is no upstream backport for gnupg 1.4 series. Backporting from 2.2 is too risky. Bugs: https://bugs.launchpad.net/bugs/1844059 https://dev.gnupg.org/T4591 https://dev.gnupg.org/T4607 https://dev.gnupg.org/T4628 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050 Priority: low Discovered-by: Assigned-to: CVSS: nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH] nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH] Patches_sks: upstream_sks: released (1.1.6+git20210302.c3ba6d5a-1) precise/esm_sks: DNE trusty_sks: ignored (out of standard support) trusty/esm_sks: DNE xenial_sks: ignored (end of standard support, was deferred [2020-01-06]) bionic_sks: deferred (2020-01-06) cosmic_sks: ignored (reached end-of-life) disco_sks: ignored (reached end-of-life) eoan_sks: ignored (reached end-of-life) focal_sks: deferred (2020-01-06) groovy_sks: DNE hirsute_sks: not-affected (1.1.6+git20210302.c3ba6d5a-1) impish_sks: not-affected (1.1.6+git20210302.c3ba6d5a-1) jammy_sks: not-affected (1.1.6+git20210302.c3ba6d5a-1) devel_sks: not-affected (1.1.6+git20210302.c3ba6d5a-1) Patches_gnupg: upstream_gnupg: needs-triage precise/esm_gnupg: ignored (end of ESM support, was deferred [2020-01-06]) trusty/esm_gnupg: deferred (2022-03-22) xenial_gnupg: ignored (end of standard support, was deferred [2020-01-06]) esm-infra/xenial_gnupg: deferred (2022-03-22) bionic_gnupg: DNE disco_gnupg: DNE eoan_gnupg: DNE focal_gnupg: DNE groovy_gnupg: DNE hirsute_gnupg: DNE impish_gnupg: DNE jammy_gnupg: DNE devel_gnupg: DNE Patches_gnupg2: upstream: https://dev.gnupg.org/rG15a425a1dfe60bd976b17671aa8e3d9aed12e1c0 upstream: https://dev.gnupg.org/rGadb120e663fc5e78f714976c6e42ae233c1990b0 upstream: https://dev.gnupg.org/rGa1f2f38dfb2ba5ed66d3aef66fc3be9b67f9b800 upstream: https://dev.gnupg.org/rG2b7151b0a57f5fe7d67fd76dfa1ba7a8731642c6 (possibly problematic) upstream: https://dev.gnupg.org/rGb6effaf4669b2c3707932e3c5f2f57df886d759e upstream: https://dev.gnupg.org/rG3c2cf5ea952015a441ee5701c41dadc63be60d87 upstream_gnupg2: released (2.2.17-3) precise/esm_gnupg2: DNE trusty/esm_gnupg2: DNE xenial_gnupg2: ignored (end of standard support, was deferred [2020-01-06]) esm-infra/xenial_gnupg2: needed bionic_gnupg2: needed disco_gnupg2: ignored (reached end-of-life) eoan_gnupg2: ignored (reached end-of-life) focal_gnupg2: not-affected (2.2.19-3ubuntu1) groovy_gnupg2: not-affected (2.2.19-3ubuntu1) hirsute_gnupg2: not-affected (2.2.19-3ubuntu1) impish_gnupg2: not-affected (2.2.19-3ubuntu1) jammy_gnupg2: not-affected (2.2.19-3ubuntu1) devel_gnupg2: not-affected (2.2.19-3ubuntu1)