touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #46380
[Bug 1409117] Re: GPG does not verify keys received when using --recv-keys leaving communicaiton with key servers vulnerable to MITM
Fixed in 2.0.24 and 1.4.17.
** Information type changed from Private Security to Public Security
** Also affects: gnupg (Ubuntu)
Importance: Undecided
Status: New
** Bug watch added: Debian Bug tracker #725411
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725411
** Also affects: gnupg (Debian) via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725411
Importance: Unknown
Status: Unknown
** Bug watch added: bugs.gnupg.org/gnupg/ #1579
http://bugs.gnupg.org/gnupg/issue1579
** Also affects: gnupg via
http://bugs.gnupg.org/gnupg/issue1579
Importance: Unknown
Status: Unknown
** Also affects: gnupg (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: gnupg2 (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: gnupg (Ubuntu Utopic)
Importance: Undecided
Status: New
** Also affects: gnupg2 (Ubuntu Utopic)
Importance: Undecided
Status: New
** Also affects: gnupg (Ubuntu Lucid)
Importance: Undecided
Status: New
** Also affects: gnupg2 (Ubuntu Lucid)
Importance: Undecided
Status: New
** Also affects: gnupg (Ubuntu Vivid)
Importance: Undecided
Status: New
** Also affects: gnupg2 (Ubuntu Vivid)
Importance: Undecided
Status: New
** Also affects: gnupg (Ubuntu Trusty)
Importance: Undecided
Status: New
** Also affects: gnupg2 (Ubuntu Trusty)
Importance: Undecided
Status: New
** Changed in: gnupg2 (Ubuntu Utopic)
Status: New => Fix Released
** Changed in: gnupg2 (Ubuntu Vivid)
Status: New => Fix Released
** Changed in: gnupg (Ubuntu Vivid)
Status: New => Fix Released
** Changed in: gnupg (Ubuntu Lucid)
Importance: Undecided => Wishlist
** Changed in: gnupg (Ubuntu Lucid)
Status: New => Confirmed
** Changed in: gnupg (Ubuntu Lucid)
Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
** Changed in: gnupg (Ubuntu Precise)
Importance: Undecided => Wishlist
** Changed in: gnupg (Ubuntu Precise)
Status: New => Confirmed
** Changed in: gnupg (Ubuntu Precise)
Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
** Changed in: gnupg (Ubuntu Trusty)
Importance: Undecided => Wishlist
** Changed in: gnupg (Ubuntu Trusty)
Status: New => Confirmed
** Changed in: gnupg (Ubuntu Trusty)
Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
** Changed in: gnupg (Ubuntu Utopic)
Importance: Undecided => Wishlist
** Changed in: gnupg (Ubuntu Utopic)
Status: New => Confirmed
** Changed in: gnupg (Ubuntu Utopic)
Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
** Changed in: gnupg2 (Ubuntu Lucid)
Importance: Undecided => Wishlist
** Changed in: gnupg2 (Ubuntu Lucid)
Status: New => Confirmed
** Changed in: gnupg2 (Ubuntu Lucid)
Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
** Changed in: gnupg2 (Ubuntu Precise)
Importance: Undecided => Wishlist
** Changed in: gnupg2 (Ubuntu Precise)
Status: New => Confirmed
** Changed in: gnupg2 (Ubuntu Precise)
Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
** Changed in: gnupg2 (Ubuntu Trusty)
Importance: Undecided => Wishlist
** Changed in: gnupg2 (Ubuntu Trusty)
Status: New => Confirmed
** Changed in: gnupg2 (Ubuntu Trusty)
Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gnupg in Ubuntu.
https://bugs.launchpad.net/bugs/1409117
Title:
GPG does not verify keys received when using --recv-keys leaving
communicaiton with key servers vulnerable to MITM
Status in GNU Privacy Guard:
Unknown
Status in gnupg package in Ubuntu:
Fix Released
Status in gnupg2 package in Ubuntu:
Fix Released
Status in gnupg source package in Lucid:
Confirmed
Status in gnupg2 source package in Lucid:
Confirmed
Status in gnupg source package in Precise:
Confirmed
Status in gnupg2 source package in Precise:
Confirmed
Status in gnupg source package in Trusty:
Confirmed
Status in gnupg2 source package in Trusty:
Confirmed
Status in gnupg source package in Utopic:
Confirmed
Status in gnupg2 source package in Utopic:
Fix Released
Status in gnupg source package in Vivid:
Fix Released
Status in gnupg2 source package in Vivid:
Fix Released
Status in gnupg package in Debian:
Unknown
Bug description:
The patch from http://bugs.gnupg.org/gnupg/issue1579 is critical and
should be backported to 12.04; right now, it is not.
This leaves 12.04 users of GPG2 vulnerable to MITM attacks on gpg2
--recv-keys. See https://evil32.com/ for an example (the text that is
striked out; the gpg2 package on 12.04 is still vulnerable).
To manage notifications about this bug go to:
https://bugs.launchpad.net/gnupg/+bug/1409117/+subscriptions