Re: pgp in Debian: obsolete?

[Florian Weimer <fw@deneb.enyo.de>]

* Ian Beckwith:

> On Sat, Aug 07, 2004 at 09:17:38PM +0200, Florian Weimer wrote:
>> Both PGP 5 and 6.5 have security issues which haven't been fixed
>> upstream (because there isn't any upstream anymore).  There are some
>> pirated versions of 6.5.8 that incorporate fixes, but Debian certainly
>> shouldn't encourage distribution of them.
>
> Hmm.
>
> Do you have links to documentation of these issues

IIRC, there's a buffer overflow in the UID handling that has never
been published.  Then there's the Klima-Rosa attack, the lack of an
MDC (Modification Detection Code), and one or more user ID handling
bugs (see <http://www.bluering.nl/pgp/useridbug.txt>).

I once worked on an OpenPGP implementation vulnerability matrix, but
this topic isn't very interesting anymore.  For me at least, there's
just GnuPG.