DescriptionGNOME Evolution through 3.38.3 produces a "Valid signature" message for an unknown identifier on a previously trusted key because Evolution does not retrieve enough information from the GnuPG API. NOTE: third parties dispute the significance of this issue, and dispute whether Evolution is the best place to change this behavior
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
evolution (PTS)buster3.30.5-1.1vulnerable
bullseye (security), bullseye3.38.3-1+deb11u2vulnerable
sid, trixie3.50.3-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


GNOME Evlolution upstreams claims that the issue should be fixed completely
on the GnuPG side, whilst the reporter claims theat GnuPG provides what is
needed to adress it on evolution's side.

Search for package or bug name: Reporting problems