touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #46383
[Bug 1409117] Re: GPG does not verify keys received when using --recv-keys leaving communicaiton with key servers vulnerable to MITM
gpg is commonly used for verifying signatures before installing packages
and is how you would get packages from Launchpad too, right? forgive me,
but maybe wishlist is too low a importance? Obviously, your call and I
am not experienced with the project here, but I really think this should
be backported soon.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gnupg in Ubuntu.
https://bugs.launchpad.net/bugs/1409117
Title:
GPG does not verify keys received when using --recv-keys leaving
communicaiton with key servers vulnerable to MITM
Status in GNU Privacy Guard:
Unknown
Status in gnupg package in Ubuntu:
Fix Released
Status in gnupg2 package in Ubuntu:
Fix Released
Status in gnupg source package in Lucid:
Confirmed
Status in gnupg2 source package in Lucid:
Confirmed
Status in gnupg source package in Precise:
Confirmed
Status in gnupg2 source package in Precise:
Confirmed
Status in gnupg source package in Trusty:
Confirmed
Status in gnupg2 source package in Trusty:
Confirmed
Status in gnupg source package in Utopic:
Confirmed
Status in gnupg2 source package in Utopic:
Fix Released
Status in gnupg source package in Vivid:
Fix Released
Status in gnupg2 source package in Vivid:
Fix Released
Status in gnupg package in Debian:
Unknown
Bug description:
The patch from http://bugs.gnupg.org/gnupg/issue1579 is critical and
should be backported to 12.04; right now, it is not.
This leaves 12.04 users of GPG2 vulnerable to MITM attacks on gpg2
--recv-keys. See https://evil32.com/ for an example (the text that is
striked out; the gpg2 package on 12.04 is still vulnerable).
To manage notifications about this bug go to:
https://bugs.launchpad.net/gnupg/+bug/1409117/+subscriptions