Bug 1770900 (CVE-2019-14855) - CVE-2019-14855 gnupg2: OpenPGP Key Certification Forgeries with SHA-1
Summary: CVE-2019-14855 gnupg2: OpenPGP Key Certification Forgeries with SHA-1
Alias: CVE-2019-14855
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1815380 1815379
Blocks: 1759069
TreeView+ depends on / blocked
Reported: 2019-11-11 13:18 UTC by Marian Rehak
Modified: 2020-03-23 11:45 UTC (History)
6 users (show)

Fixed In Version: gnupg2 2.2.18
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenPGP Key Certification Forgeries in the way certificate signatures could be forged by using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures.
Clone Of:
Last Closed: 2020-03-20 10:31:46 UTC

Attachments (Terms of Use)

Description Marian Rehak 2019-11-11 13:18:28 UTC
OpenPGP Key Certification Forgeries with SHA-1. Older versions of OpenPGP implementations will default to using SHA-1 which is not secure.

Comment 1 Huzaifa S. Sidhpurwala 2020-03-20 05:12:43 UTC

Name: Werner Koch (GnuPG project)

Comment 2 Huzaifa S. Sidhpurwala 2020-03-20 05:12:47 UTC

This flaw only affects the versions of GnuPG package which defaults to signing with SHA-1. GnuPG 2.0 and above does not use SHA-1 by default therefore are not directly affected by this flaw.

Comment 3 Huzaifa S. Sidhpurwala 2020-03-20 05:12:52 UTC
External References:


Comment 4 Huzaifa S. Sidhpurwala 2020-03-20 05:24:01 UTC
Created gnupg1 tracking bugs for this issue:

Affects: fedora-30 [bug 1815379]
Affects: fedora-31 [bug 1815380]

Comment 5 Product Security DevOps Team 2020-03-20 10:31:46 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.