- Vulnerability/
- USN-4516-1
USN-4516-1: GnuPG vulnerability
First published: Thu Sep 17 2020(Updated: )
It was discovered that GnuPG signatures could be forged when the SHA-1 algorithm is being used. This update removes validating signatures based on SHA-1 that were generated after 2019-01-19. In environments where this is still required, a new option --allow-weak-key-signatures can be used to revert this behaviour.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| ubuntu/gnupg | <2.2.4-1ubuntu1.3 | 2.2.4-1ubuntu1.3 |
| Ubuntu Ubuntu | =18.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this GnuPG vulnerability?
The vulnerability ID for this GnuPG vulnerability is USN-4516-1.
What is the title of the GnuPG vulnerability?
The title of the GnuPG vulnerability is USN-4516-1: GnuPG vulnerability.
How can GnuPG signatures be forged with this vulnerability?
GnuPG signatures can be forged when the SHA-1 algorithm is being used.
What is the recommended solution to fix this vulnerability?
The recommended solution is to update GnuPG to version 2.2.4-1ubuntu1.3 or higher.
Where can I find more information about this GnuPG vulnerability?
You can find more information about this GnuPG vulnerability at the following links: [CVE-2019-14855](https://ubuntu.com/security/CVE-2019-14855), [Launchpad](https://launchpad.net/ubuntu/+source/gnupg2/2.2.4-1ubuntu1.3), [USN-4516-1](https://ubuntu.com/security/notices/USN-4516-1).
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- collector/usn
- source/Ubuntu
- agent/software-canonical-lookup
- package-manager/ubuntu
- vendor/ubuntu
- canonical/ubuntu ubuntu
- version/ubuntu ubuntu/18.04