公告ID: KYLIN-2019-13050
安全等级: 中等
产品: Kylin V3
发布日期: 2019年6月29日
CVE: CVE-2019-13050
CVSS3评分: 6.5
概述:
This is a certificate spamming attack, against key servers which use the sks-keyserver software. Attackers were able to poison some certificates in the SKS keyserver network. When GnuPG users import these certificate their installations will break. Currently there is no patch available for GnuPG. Users are encouraged to apply the mitigation mentioned on this page. Lastly there is no way to currently detect which certificates have been poisoned. Users of GnuPG who import only locally created certificates or those created within their infrastructure and later use them for verification etc are not affected by this flaw. 描述:
Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack. 系统版本:
KYLIN 3.0.x
KYLIN 3.0.x
KYLIN 3.2.x
KYLIN 3.3.x
KYLIN 3.4.x
受影响包列表:
gnupg2
gnupg
gnupg2
gnupg2
gnupg2