VulnerableCode Package Details - pkg:deb/debian/gnupg2@2.0.26-6%2Bdeb8u2

Search for packages

Package details: pkg:deb/debian/gnupg2@2.0.26-6%2Bdeb8u2

Essentials
History (8)

purl	pkg:deb/debian/gnupg2@2.0.26-6%2Bdeb8u2

Next non-vulnerable version	2.2.40-1.1+deb12u1
Latest non-vulnerable version	2.2.40-1.1+deb12u1
Risk	4.0

Vulnerabilities affecting this package (5)

Vulnerability	Summary	Fixed by
VCID-3svh-batx-vkf1 Aliases: CVE-2018-1000858	GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must perform a WKD request, e.g. enter an email address in the composer window of Thunderbird/Enigmail. This vulnerability appears to have been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060.	2.2.12-1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-hxba-y3gf-sqf7 Aliases: CVE-2018-9234	GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.	2.2.12-1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-m9c4-h91g-sfgu Aliases: CVE-2019-14855	A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.	2.2.27-2+deb11u2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-p6xn-vjxt-3qcu Aliases: CVE-2018-12020	mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.	2.1.18-8~deb9u4 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.2.12-1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-r49h-z2st-4kew Aliases: CVE-2022-34903	GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.	2.2.12-1+deb10u2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.2.27-2+deb11u2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-p6xn-vjxt-3qcu	mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.	CVE-2018-12020

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T20:16:58.099457+00:00	Debian Oval Importer	Affected by	VCID-hxba-y3gf-sqf7	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T20:14:03.086458+00:00	Debian Oval Importer	Affected by	VCID-p6xn-vjxt-3qcu	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T18:55:10.626190+00:00	Debian Oval Importer	Affected by	VCID-m9c4-h91g-sfgu	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T15:24:42.834921+00:00	Debian Oval Importer	Affected by	VCID-3svh-batx-vkf1	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:52:14.179818+00:00	Debian Oval Importer	Affected by	VCID-r49h-z2st-4kew	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T11:39:51.951937+00:00	Debian Oval Importer	Affected by	VCID-r49h-z2st-4kew	https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2	37.0.0
2025-08-01T11:08:42.094962+00:00	Debian Oval Importer	Affected by	VCID-p6xn-vjxt-3qcu	https://www.debian.org/security/oval/oval-definitions-stretch.xml.bz2	37.0.0
2025-08-01T10:24:41.154172+00:00	Debian Oval Importer	Fixing	VCID-p6xn-vjxt-3qcu	https://www.debian.org/security/oval/oval-definitions-jessie.xml.bz2	37.0.0