Date: Fri, 08 Jun 2018 21:36:09 +0200 From: Yves-Alexis Perez <corsac@...ian.org> To: oss-security@...ts.openwall.com Subject: CVE-2018-12020 in GnuPG -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi everybody, just a heads up, since we weren't notified in advance and it's Friday evening (in Europe at least). There's a nasty vulnerability in GnuPG which can be apparently used to bypass signature verification when a program calls gpg to verify a signature and parses the output: https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html https://dev.gnupg.org/T4012 It might be worth checking whether package managers signature verification is affected. Apt doesn't seems affected at first sight (it uses gpgv) but we'll double check. Regards, - -- Yves-Alexis -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlsa2qkACgkQ3rYcyPpX RFv/vAf+MVxGn1N+UT1W6HLMnR2BJLcRI0emIAdYOW+HNoXGgAnRckQa2vbLv645 bKdrpjGR8vsMMiCNmk2vUUOuV5lhfX4XN7ik9wyLpJhJWrxTZ+OdfIPwWE7dOj3x bsw+8gYi2gK6v274nUtFXbU2XcTCkgAlqcIfeJlhh8MLDqJ7Fka8YJO02EsW+pRa Bu2fblFm5P4TcTMOBjoX4zRHob4S2po57vCIgbA0GKLAzzjB8vWzPbo73waozvQR OAL69guzAFKIdVNZ4x4WOcgNoZt6/sx1DWs1+oYfhWC5TNlrK5HcfUmmZ5bq1ov3 S8SJhFB1Q7c5xyCcmza8mQSwkBrpfA== =AI6O -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ