Thanks for reporting this - FYI you can see the status of each CVE via the CVE tracker http://people.canonical.com/~ubuntu-security/cve/
ie. https://people.canonical.com/~ubuntu- security/cve/2017/CVE-2017-7526.html This CVE was triaged against libgrypt only - not against gnupg1 - and all the upstream CVE trackers only seem to reference this CVE against libgcrypt. I can see the mention of CVE-2017-7526 on their homepage for GnuPG 1.4.23, however looking at the changes for 1.4.23 I can see no commits that appear relevant to this CVE: https://git.gnupg.org/cgi- bin/gitweb.cgi?p=gnupg.git;a=shortlog;h=refs/heads/STABLE-BRANCH-1-4 However, if we look at the changes that went into 1.4.22 then there are a bunch of changes which look analogous to the ones for libgrypt for CVE-2017-7526: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=b38f4489f75e6e435886aa885807738a22c7ff60 https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=12029f83fd0ab3e8ad524f6c9135854662fddfd1 https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=554ded4854758bf6ca268432fa087f946932a409 https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=8fd9f72e1b2e578e45c98c978cab4f6d47683d2c Also I can't see any release annoucements for 1.4.22 or 1.4.23 in gnupg- announce either which is unfortunate. I will retriage this against gnupg1 as well and this will be fixed soon. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1785176 Title: GnuPG 1.4.23 released on 2018-06-11, addresses CVE-2017-7526 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/1785176/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
