Bug#834326: jessie-pu: package gnupg/1.4.18-7+deb8u2

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

Control: tags -1 + moreinfo confirmed

On Thu, 2016-08-18 at 07:25 +0200, Salvatore Bonaccorso wrote:
> Control: retitle -1 jessie-pu: package gnupg/1.4.18-7+deb8u3
> 
> On Sun, Aug 14, 2016 at 03:58:28PM +0200, Salvatore Bonaccorso wrote:
> > I would like to propose the following hardening to src:gnupg which was
> > found during the analysis of a vulnerability report to the security team
> > and related to
> > https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_razavi.pdf
> > and developed by NIIBE Yutaka. The underlying problem in hardware cannot
> > be solved in software (and thus we don't want to issue a DSA for it, and
> > give possibly this false impression), and as pointed out by Florian
> > there are some other open questions regarding the paper and the attacks
> > described there.
[...]
> This all stil holds, but I have rebased the patch on top of the update
> via jessie-security.

Overall I think I'm happy to trust the maintainers on this, but would
like a KiBi-ack due to d-i making use of at least gpgv.

Regards,

Adam