CVE-2019-14855 is about Web of Trust forgeries using collisions in SHA-1 signatures. Given the required effort and the dimishing use of SHA-1 the impact is not very high. Nevertheless we will default in master to not accept SHA-1 key signature and in 2.2 we will not accept any new key signatures. Note that this renders dsa1024 keys useless for the Web-of-Trust.
Description
Description
Details
Details
- External Link
- https://sha-mbles.github.io/
Related Objects
Related Objects
Event Timeline
Comment Actions
Hello,
I am currently investigating the issue known as CVE-2019-14855 for Debian's LTS version Debian 8 "Jessie" and even Debian 7 "Wheezy".
Could you tell us more about the impact and if earlier versions of gnupg are affected? It appears no backports were made for < 2.2.x as the 1.4 series.
The change appears to change previous default behavior of gnupg. Does it make even sense to attempt a backport of the fixes?
What commits do exactly fix CVE-2019-14855? We currently believe that
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=c4f2d9e3e1d77d2f1f168764fcdfed32f7d1dfc4
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=7d9aad63c4f1aefe97da61baf5acd96c12c0278e
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=7d9aad63c4f1aefe97da61baf5acd96c12c0278e
are related but we are not sure if there are more commits which are required to fix CVE-2019-14855.
Thanks for all your work on GnuPG
Markus Koschany
Comment Actions
FWIW, the second listed commit is the right one. You should only look at the STABLE-STABLE-2-2 branch. master and that branch differ; in particular we do not have a cut-off date in master (to be 2.3).