{"id":"USN-2554-1","summary":"gnupg, gnupg2 vulnerabilities","details":"Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer discovered\nthat GnuPG was susceptible to an attack via physical side channels. A local\nattacker could use this attack to possibly recover private keys.\n(CVE-2014-3591)\n\nDaniel Genkin, Adi Shamir, and Eran Tromer discovered that GnuPG was\nsusceptible to an attack via physical side channels. A local attacker could\nuse this attack to possibly recover private keys. (CVE-2015-0837)\n\nHanno Böck discovered that GnuPG incorrectly handled certain malformed\nkeyrings. If a user or automated system were tricked into opening a\nmalformed keyring, a remote attacker could use this issue to cause GnuPG to\ncrash, resulting in a denial of service, or possibly execute arbitrary\ncode. (CVE-2015-1606, CVE-2015-1607)\n\nIn addition, this update improves GnuPG security by validating that the\nkeys returned by keyservers match those requested.\n","modified":"2026-02-10T04:40:53Z","published":"2015-04-01T13:23:13Z","related":["UBUNTU-CVE-2014-3591","UBUNTU-CVE-2014-5270","UBUNTU-CVE-2015-0837","UBUNTU-CVE-2015-1606","UBUNTU-CVE-2015-1607"],"upstream":["CVE-2014-3591","CVE-2014-5270","CVE-2015-0837","CVE-2015-1606","CVE-2015-1607","UBUNTU-CVE-2014-3591","UBUNTU-CVE-2014-5270","UBUNTU-CVE-2015-0837","UBUNTU-CVE-2015-1606","UBUNTU-CVE-2015-1607"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-2554-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2014-3591"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2014-5270"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-0837"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-1606"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-1607"}],"affected":[{"package":{"name":"gnupg","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/gnupg@1.4.16-1ubuntu2.3?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.16-1ubuntu2.3"}]}],"versions":["1.4.14-1ubuntu2","1.4.15-1.1ubuntu1","1.4.15-1.1ubuntu2","1.4.15-2ubuntu1","1.4.16-1ubuntu1","1.4.16-1ubuntu2","1.4.16-1ubuntu2.1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.4.16-1ubuntu2.3","binary_name":"gnupg"},{"binary_version":"1.4.16-1ubuntu2.3","binary_name":"gnupg-curl"},{"binary_version":"1.4.16-1ubuntu2.3","binary_name":"gpgv"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2014-3591"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2015-0837"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2015-1606"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2015-1607"}],"ecosystem":"Ubuntu:14.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-2554-1.json"}},{"package":{"name":"gnupg2","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/gnupg2@2.0.22-3ubuntu1.3?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.0.22-3ubuntu1.3"}]}],"versions":["2.0.20-1ubuntu3","2.0.22-1ubuntu1","2.0.22-3ubuntu1","2.0.22-3ubuntu1.1"],"ecosystem_specific":{"binaries":[{"binary_version":"2.0.22-3ubuntu1.3","binary_name":"gnupg-agent"},{"binary_version":"2.0.22-3ubuntu1.3","binary_name":"gnupg2"},{"binary_version":"2.0.22-3ubuntu1.3","binary_name":"gpgsm"},{"binary_version":"2.0.22-3ubuntu1.3","binary_name":"gpgv2"},{"binary_version":"2.0.22-3ubuntu1.3","binary_name":"scdaemon"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2014-3591"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2015-0837"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2015-1606"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2015-1607"}],"ecosystem":"Ubuntu:14.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-2554-1.json"}}],"schema_version":"1.7.3"}