touch-packages team mailing list archive

Thread
Date

[Bug 1409117] Re: GPG does not verify keys received when using --recv-keys leaving communicaiton with key servers vulnerable to MITM

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: devd <ubuntu@xxxxxxx>
Date: Fri, 09 Jan 2015 22:18:50 -0000
Reply-to: Bug 1409117 <1409117@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

aah makes sense. thanks.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gnupg in Ubuntu.
https://bugs.launchpad.net/bugs/1409117

Title:
  GPG does not verify keys received when using --recv-keys leaving
  communicaiton with key servers vulnerable to MITM

Status in GNU Privacy Guard:
  Unknown
Status in gnupg package in Ubuntu:
  Fix Released
Status in gnupg2 package in Ubuntu:
  Fix Released
Status in gnupg source package in Lucid:
  Confirmed
Status in gnupg2 source package in Lucid:
  Confirmed
Status in gnupg source package in Precise:
  Confirmed
Status in gnupg2 source package in Precise:
  Confirmed
Status in gnupg source package in Trusty:
  Confirmed
Status in gnupg2 source package in Trusty:
  Confirmed
Status in gnupg source package in Utopic:
  Confirmed
Status in gnupg2 source package in Utopic:
  Fix Released
Status in gnupg source package in Vivid:
  Fix Released
Status in gnupg2 source package in Vivid:
  Fix Released
Status in gnupg package in Debian:
  Unknown

Bug description:
  The patch from http://bugs.gnupg.org/gnupg/issue1579 is critical and
  should be backported to 12.04; right now, it is not.

  This leaves 12.04 users of GPG2 vulnerable to MITM attacks on gpg2
  --recv-keys. See https://evil32.com/ for an example (the text that is
  striked out; the gpg2 package on 12.04 is still vulnerable).

To manage notifications about this bug go to:
https://bugs.launchpad.net/gnupg/+bug/1409117/+subscriptions