CVE-2025-43023
Publication date 28 July 2025
Last updated 23 February 2026
Ubuntu priority
Description
A potential security vulnerability has been identified in the HP Linux Imaging and Printing Software documentation. This potential vulnerability is due to the use of a weak code signing key, Digital Signature Algorithm (DSA).
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| hplip | 25.10 questing | Ignored see notes |
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes |
Notes
mdeslaur
This CVE is for the use of a DSA key to sign the upstream installer. Starting with 3.25.2, HP switched to a newer GPG key, available here: https://developers.hp.com/hp-linux-imaging-and-printing/hplipDigitalCertificate.html In the hplip-data binary package, the DSA key is located in /usr/share/hplip/signing-key.asc and is loaded by /usr/share/hplip/base/validation.py. This is used by, amonst others, the hp-plugin tool to download the binary plugin installer package. The hp-plugin tool will download both a *run file and a *run.asc file that matches the exact version of the hplip package. While the 3.25.2 and later binary plugins are signed with the new hplip GPG key, the older versions of the packages are not. Hence, we are not able to modify stable releases to use the new GPG key as the plugins being downloaded were not signed with it. Marking this CVE as ignored since it cannot be fixed.