Date: Fri, 08 Jun 2018 21:36:09 +0200 From: Yves-Alexis Perez <corsac@...ian.org> To: oss-security@...ts.openwall.com Subject: CVE-2018-12020 in GnuPG -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi everybody, just a heads up, since we weren't notified in advance and it's Friday evening (in Europe at least). There's a nasty vulnerability in GnuPG which can be apparently used to bypass signature verification when a program calls gpg to verify a signature and parses the output: https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html https://dev.gnupg.org/T4012 It might be worth checking whether package managers signature verification is affected. Apt doesn't seems affected at first sight (it uses gpgv) but we'll double check. Regards, - -- Yves-Alexis -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlsa2qkACgkQ3rYcyPpX RFv/vAf+MVxGn1N+UT1W6HLMnR2BJLcRI0emIAdYOW+HNoXGgAnRckQa2vbLv645 bKdrpjGR8vsMMiCNmk2vUUOuV5lhfX4XN7ik9wyLpJhJWrxTZ+OdfIPwWE7dOj3x bsw+8gYi2gK6v274nUtFXbU2XcTCkgAlqcIfeJlhh8MLDqJ7Fka8YJO02EsW+pRa Bu2fblFm5P4TcTMOBjoX4zRHob4S2po57vCIgbA0GKLAzzjB8vWzPbo73waozvQR OAL69guzAFKIdVNZ4x4WOcgNoZt6/sx1DWs1+oYfhWC5TNlrK5HcfUmmZ5bq1ov3 S8SJhFB1Q7c5xyCcmza8mQSwkBrpfA== =AI6O -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.