Ubuntu
gnupg2 package

CVE tracker information in case of CVE-2018-12020

Asked by Laszlo Micsinyei

I would like to ask what is the state of this CVE: CVE-2018-12020.
The ubuntu CVE tracker for jammy shows(gnupg2):
Released (2.2.8-1ubuntu1), but the available version is 2.2.27-3ubuntu2.1.
If I read the version correctly then the available information is incorrect.
I am interested in the available information's accuracy and not whether the version will be released or not.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu gnupg2 Edit question
Assignee:
No assignee Edit question
Solved by:
Manfred Hampl
Solved:
Last query:
Last reply:
Revision history for this message
Manfred Hampl (m-hampl) said : 		#1

https://ubuntu.com/security/CVE-2018-12020

The patch for coping with CVE-2018-12020 has been incorporated in Ubuntu in version 2.2.8-1ubuntu1 and is contained in any version of gnupgp2 in Ubuntu with a version higher than that, so also in version 2.2.27-3ubuntu2.1

In Ubuntu's CVE pages usually only the lowest version number required for fixing the vulnerability is shown, and that information in not modified if later updates are published for other reasons.

Revision history for this message
Laszlo Micsinyei (coba285) said : 		#2

Thank you for your answer, I am still little confused.

My problem is the fix is released for this version : 2.2.8-1ubuntu1
But in jammy the available version is only : 2.2.27-3ubuntu2.1 which is the lower version right?

So the ubuntu cve tracker should say "needed" instead of "released". Am I not seeing something correctly?

Revision history for this message
Best Manfred Hampl (m-hampl) said : 		#3

27 is greater than 8, so version 2.2.27.* is a higher version than 2.2.8.*
(the relevant sorting is number based, not alphabetical)

Revision history for this message
Laszlo Micsinyei (coba285) said : 		#4

I see, this is what I have missed, thank you for the clarification.

Revision history for this message
Laszlo Micsinyei (coba285) said : 		#5

Thanks Manfred Hampl, that solved my question.