CVE-2019-14855: 
NixOS vulnerability analysis and mitigation

A flaw was discovered in GnuPG (CVE-2019-14855) that allowed certificate signatures to be forged using collisions found in the SHA-1 algorithm. The vulnerability affects GnuPG versions before 2.2.18 and was disclosed in late 2019. An attacker could exploit this weakness to create forged certificate signatures (NVD, MITRE).

The vulnerability stems from weaknesses in the SHA-1 algorithm when used for certificate signatures. GnuPG 2.2.18 addressed this by removing validation of SHA-1 based key signatures created after January 19, 2019. The issue has a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability particularly impacts dsa1024 keys used in the Web-of-Trust system (GnuPG Dev, NVD).

The vulnerability could allow attackers to forge certificate signatures, potentially compromising the Web-of-Trust system in GnuPG. This particularly affects systems using SHA-1 based signatures and dsa1024 keys. The impact is considered high for confidentiality but does not affect integrity or availability (NVD, Ubuntu).

The vulnerability was fixed in GnuPG version 2.2.18 by disabling SHA-1 signatures created after January 19, 2019. For environments still requiring SHA-1 signatures, a new option --allow-weak-key-signatures was introduced to override this behavior. Users are recommended to upgrade to GnuPG 2.2.18 or later (GnuPG Announce, Ubuntu).