[Secure-testing-team] Bug#738509: python-gnupg: CVE-2013-7323 CVE-2014-1927 CVE-2014-1928
Salvatore Bonaccorso
carnil at debian.org
Mon Feb 10 05:30:06 UTC 2014
Source: python-gnupg
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
the following vulnerabilities were published for python-gnupg.
CVE-2013-7323[0]:
Unrestricted use of unquoted strings in a shell
CVE-2014-1927[1]:
Erroneous assumptions about the usability of " characters
CVE-2014-1928[2]:
Erroneous insertion of a \ character
allowing shell injection in python-gnupg.
Plase see the treat on oss-security about more details for each of
these isues[3]. Note I have not (yet) checked which of the three CVEs
still apply to the 0.3.5 version.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7323
http://security-tracker.debian.org/tracker/CVE-2013-7323
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1927
http://security-tracker.debian.org/tracker/CVE-2014-1927
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1928
http://security-tracker.debian.org/tracker/CVE-2014-1928
[3] http://www.openwall.com/lists/oss-security/2014/02/09/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list