CVE-2019-13050
Publication date 29 June 2019
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.
Status
Package | Ubuntu Release | Status |
---|---|---|
gnupg | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial |
Vulnerable, fix deferred
|
|
14.04 LTS trusty | Ignored end of ESM support, was deferred [2022-03-22] | |
gnupg2 | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic |
Fixed 2.2.4-1ubuntu1.5
|
|
16.04 LTS xenial | Ignored change too intrusive | |
14.04 LTS trusty | Not in release | |
sks | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Vulnerable, fix deferred
|
|
18.04 LTS bionic |
Vulnerable, fix deferred
|
|
16.04 LTS xenial |
Vulnerable, fix deferred
|
|
14.04 LTS trusty | Not in release |
Notes
mdeslaur
this is a weakness in the PGP keyserver design.
alexmurray
gnupg upstream has 2 mitigations for this - firstly, don't import key signatures by default anymore, and to fallback to only import self-signatures on very large keyblocks
mdeslaur
as of 2020-01-06, there is no ideal fix for this issue marking this CVE as deferred until a complete fix is available
sbeattie
gnupg mitigations landed in upstream in 2.2.17 with important fixes in 2.2.18 2.2.19-3ubuntu1 introduced a debian/ubuntu specific change to use keys.openpgp.org as the default keyserver any backports to address this issue will be complex and introduce changes in behavior sks in debian introduced very basic filtering in 1.1.6+git20210302.c3ba6d5a-1
rodrigo-zaiden
as of 2022-03-22, there is no upstream backport for gnupg 1.4 series. Backporting from 2.2 is too risky.
Patch details
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 · High |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-5431-1
- GnuPG vulnerability
- 30 May 2022