[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

gnupg RC bugs

James, there are two grave bugs on gnupg; this mail is intended as a
friendly reminder and to offer a few suggestions.

The version in sarge[0] is vulnerable to a bug about data loss because
of data encrypted to the wrong key (299814) and a security bug about
using gnupg as an oracle in automated environments (300859).  The latter
bug affects sid too.

So there are several ways you can fix this problem:
* Update to 1.4.1.
* Apply the patch in 300859 to 1.4.0.
* Update to 1.2.8.  This would either require an epoch, or it would
require going directly to t-p-u or t-s.
* Apply the patch in 299814 to 1.2.5, and remold the patch in 300859 to
fit with 1.2.5.  The latter will probably take some work, considering
that 1.2 and 1.4 are rather different internally.
* Apply the patch in 299814 to 1.2.5, and pull a patch between 1.2.5 and
1.2.8 (only relevant bits included) from CVS.

Some of these may or may not be acceptable to -release.

I really don't care what suggestion you take, or even if you ignore me
completely, but I think it would be good if the bugs got fixed,
especially since gnupg is a rather important package and this will get
us two bugs closer to release.

Thank you for considering this.

[0] Which is why I am Cc:ing debian-release.


Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: