http://bugzilla.opensuse.org/show_bug.cgi?id=1088255 Bug ID: 1088255 Summary: VUL-1: CVE-2018-9234: gpg2: Unenforced configuration allows for apparently valid certifications actually signed by signing subkeys Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.0 Hardware: Other URL: https://smash.suse.de/issue/203140/ OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Security Assignee: pmonrealgonzalez@suse.com Reporter: kbabioch@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: --- GnuPG through version 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey. Upstream Issue: https://dev.gnupg.org/T3844 Upstream Patch: https://dev.gnupg.org/rGa17d2d1f690ebe5d005b4589a5fe378b6487c657 References: https://bugzilla.redhat.com/show_bug.cgi?id=1563930 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-9234 http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-9234.html -- You are receiving this mail because: You are on the CC list for the bug.