CVE-2014-4617
gnupg2 - security update
EPSS 8.0%
Description
The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence.
How to fix CVE-2014-4617
To remediate CVE-2014-4617, upgrade the affected package to a fixed version below.
- Debian/gnupg—upgrade to 1.4.10-4+squeeze5 or later
- Debian/gnupg—upgrade to 1.4.12-7+deb7u4 or later
- Debian/gnupg2—upgrade to 2.0.24-1 or later
- —upgrade to 2.0.14-2+squeeze2 or later
- —upgrade to 2.0.19-2+deb7u2 or later
Is CVE-2014-4617 being exploited?
Moderate — EPSS is 8.0%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (5)
- from 0, < 1.4.10-4+squeeze5
- from 0, < 1.4.12-7+deb7u4
- from 0, < 2.0.24-1
- from 0, < 2.0.14-2+squeeze2
- from 0, < 2.0.19-2+deb7u2