Re: pgp in Debian: obsolete?
* Ian Beckwith:
> On Sat, Aug 07, 2004 at 09:17:38PM +0200, Florian Weimer wrote:
>> Both PGP 5 and 6.5 have security issues which haven't been fixed
>> upstream (because there isn't any upstream anymore). There are some
>> pirated versions of 6.5.8 that incorporate fixes, but Debian certainly
>> shouldn't encourage distribution of them.
> Do you have links to documentation of these issues
IIRC, there's a buffer overflow in the UID handling that has never
been published. Then there's the Klima-Rosa attack, the lack of an
MDC (Modification Detection Code), and one or more user ID handling
bugs (see <http://www.bluering.nl/pgp/useridbug.txt>).
I once worked on an OpenPGP implementation vulnerability matrix, but
this topic isn't very interesting anymore. For me at least, there's