Genkin, Pipman and Tromer discovered a side-channel attack on Elgamal encryption subkeys (CVE-2014-5270 ). In addition, this update hardens GnuPG's behaviour when treating keyserver responses GnuPG now filters keyserver responses to only accepts those keyid's actually requested by the user.

For the stable distribution (wheezy), this problem has been fixed in version 1.4.12-7+deb7u6. For the testing (jessie) and unstable distribution (sid), this problem has been fixed in version 1.4.18-4. We recommend that you upgrade your gnupg packages.

GnuPG is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC 4880.

gnupg on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2014/dsa-3024.html

---

Updated on 2015-03-25