Date: Wed, 31 Oct 2018 15:29:15 +0100 From: Jakub Wilk <jwilk@...lk.net> To: oss-security@...ts.openwall.com Subject: Re: Re: Travis CI MITM RCE * Daniel Kahn Gillmor <dkg@...thhorseman.net>, 2018-10-29, 08:52: >>My proposed fix was to use "gpg --recv-key" with full fingerprint. But >>I now discovered that even this is not resistant against MitM attacks: >> >>https://dev.gnupg.org/T3398 >> >>"[...] modern gpg automatically applies an import screener that only >>accepts OpenPGP certificates that have the given fingerprint [...] > >It may be even worse than this, because the version of gpg used by >default in travis is not "modern gpg", it's either gnupg2 >2.0.22-3ubuntu1.4 or gnupg 1.4.16-1ubuntu2.6. I don't think either of >these has the baseline "import screener" functionality Ubuntu Precise and later releases have the import screener backported to gnupg(2) packages: https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/1409117 -- Jakub Wilk
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.