[vox] [Fwd: Key validity bug in GnuPG 1.2.1 and earlier]
Peter Jay Salzman
vox@lists.lugod.org
Mon, 5 May 2003 10:24:33 -0700
begin ME <dugan@passwall.com>
> I know many of you use GPG, so I'm passing this on. This is likely not a
> serious issue for most of you. FYI:
>
> ---------------------------- Original Message ----------------------------
> Subject: Key validity bug in GnuPG 1.2.1 and earlier
> From: "David Shaw" <dshaw@jabberwocky.com>
> Date: Sat, May 3, 2003 18:35
> To: bugtraq@securityfocus.com
> --------------------------------------------------------------------------
>
> As part of the development of GnuPG 1.2.2, a bug was discovered in the key
> validation code. This bug causes keys with more than one user ID to give
> all user IDs on the key the amount of validity given to the most-valid
> key.
(snip)
> This bug has been fixed in the newly released GnuPG 1.2.2, and
> upgrading is the recommended fix for this problem.
nota bene: both debian/testing and debian/unstable are currently at gnupg/1.2.1.
debian/stable is at gnupg/1.0.6.
so all three branches are vulnerable.
pete
--
GPG Instructions: http://www.dirac.org/linux/gpg
GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D