[arch-security] GnuPG < 2.0.24 DoS (CVE-2014-4617)

Guillaume ALAUX guillaume at archlinux.org
Thu Jun 26 04:52:10 EDT 2014


On 26 June 2014 10:48, Guillaume ALAUX <guillaume at archlinux.org> wrote:
> On 26 June 2014 10:44, Neal Oakey <neal at oakey-dev.eu> wrote:
>> Hi,
>>
>> when will this be fixed?
>>
>> Greetings,
>> Neal
>>
>> Am 24.06.2014 17:33, schrieb Remi Gacogne:
>>> Hi all,
>>>
>>> A security issue has been reported to oss-security [1] regarding a
>>> denial of service in GnuPG < 2.0.24. Please see the original message
>>> posted to oss-security or the GnuPG announcement [2] for additional
>>> information.
>>>
>>> The GnuPG package in Arch Linux is currently in version 2.0.23 and
>>> therefore seems to be vulnerable. It has already been flagged as
>>> out-of-date but has not been updated yet.
>>>
>>> [1] http://www.openwall.com/lists/oss-security/2014/06/24/1
>>> [2] http://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000345.html
>>>
>>> Best regards,
>>>
>>> Remi
>>>
>>>
>>
>
> GnuPG 2.0.24 is currently in [testing].
>
> https://www.archlinux.org/packages/testing/i686/gnupg/
>
> It should hit "stable" repo as soon as it gets its signoffs.

Hum. I have just read this comment about gnupg signoffs:

  Signoffs are not currently enabled
  Don't bother signing off; another upstream release is pending.


More information about the arch-security mailing list