OpenPGP Key Certification Forgeries with SHA-1. Older versions of OpenPGP implementations will default to using SHA-1 which is not secure.
Acknowledgments: Name: Werner Koch (GnuPG project)
Statement: This flaw only affects the versions of GnuPG package which defaults to signing with SHA-1. GnuPG 2.0 and above does not use SHA-1 by default therefore are not directly affected by this flaw.
External References: https://rwc.iacr.org/2020/slides/Leurent.pdf
Created gnupg1 tracking bugs for this issue: Affects: fedora-30 [bug 1815379] Affects: fedora-31 [bug 1815380]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14855