Attached is my patch for Stretch, based on the upstream patch.
I am a bit uneasy about applying this and marking CVE-2019-11841 as
fixed, because contrary to what upstream say I don't think
CVE-2019-11841 is actually fixed. From the CVE description:
[...] However, the Go clearsign package ignores the value of this
header, which allows an attacker to spoof it. Consequently, an
attacker can lead a victim to believe the signature was generated
using a different message digest algorithm than what was actually
used. [...]
The upstream patch has done nothing to address this.
--
Brian May <bam@debian.org>