CVE-2018-9234

Priority
Description
GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key
certification requires an offline master Certify key, which results in
apparently valid certifications that occurred only with access to a signing
subkey.
Notes
mdeslauronly affects 2.1.21 and later
Package
Source: gnupg (LP Ubuntu Debian)
Upstream:released (2.2.6)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected
Ubuntu 14.04 ESM (Trusty Tahr):not-affected
Ubuntu 16.04 LTS (Xenial Xerus):not-affected
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:released (2.2.6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was not-affected [2.0.22-3ubuntu1.3])
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (2.1.11-6ubuntu2)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.2.4-1ubuntu1.1)
Patches:
Upstream:https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=a17d2d1f690ebe5d005b4589a5fe378b6487c657
More Information

Updated: 2020-07-28 20:05:48 UTC (commit d26b6ca9f5b3adb89bb036ce73ae7dab894935ec)