Gnu · Gnupg · CVE-2018-9234
**Name of the Vulnerable Software and Affected Versions**
GnuPG versions 2.2.4 through 2.2.5
**Description**
The issue concerns a configuration where key certification does not require an offline master Certify key. This results in apparently valid certifications that can occur with access to only a signing subkey.
**Recommendations**
For GnuPG versions 2.2.4 and 2.2.5, consider configuring the system to enforce the use of an offline master Certify key for key certification to prevent apparently valid certifications from occurring with access to only a signing subkey.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.