[vox] [Fwd: Key validity bug in GnuPG 1.2.1 and earlier]

Peter Jay Salzman vox@lists.lugod.org
Mon, 5 May 2003 10:24:33 -0700


begin ME <dugan@passwall.com> 
> I know many of you use GPG, so I'm passing this on. This is likely not a
> serious issue for most of you. FYI:
> 
> ---------------------------- Original Message ----------------------------
> Subject: Key validity bug in GnuPG 1.2.1 and earlier
> From:    "David Shaw" <dshaw@jabberwocky.com>
> Date:    Sat, May 3, 2003 18:35
> To:      bugtraq@securityfocus.com
> --------------------------------------------------------------------------
> 
> As part of the development of GnuPG 1.2.2, a bug was discovered in the key
> validation code.  This bug causes keys with more than one user ID to give
> all user IDs on the key the amount of validity given to the most-valid
> key.
 
(snip)

> This bug has been fixed in the newly released GnuPG 1.2.2, and
> upgrading is the recommended fix for this problem.

nota bene: both debian/testing and debian/unstable are currently at gnupg/1.2.1.
debian/stable is at gnupg/1.0.6.

so all three branches are vulnerable.

pete

-- 
GPG Instructions: http://www.dirac.org/linux/gpg
GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D