Accepted gnupg 1.4.2.1-0ubuntu1 (source)
Martin Pitt
martin.pitt at ubuntu.com
Fri Feb 17 10:35:07 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 17 Feb 2006 11:18:27 +0100
Source: gnupg
Binary: gnupg gpgv-udeb
Architecture: source
Version: 1.4.2.1-0ubuntu1
Distribution: dapper
Urgency: low
Maintainer: James Troup <james at nocrew.org>
Changed-By: Martin Pitt <martin.pitt at ubuntu.com>
Description:
gnupg - GNU privacy guard - a free PGP replacement
gpgv-udeb - minimal signature verification tool
Changes:
gnupg (1.4.2.1-0ubuntu1) dapper; urgency=low
.
* New upstream security bugfix release, only contains the following changes:
- Security fix for a verification weakness in gpgv. Some input
could lead to gpgv exiting with 0 even if the detached signature
file did not carry any signature. This is not as fatal as it
might seem because the suggestion as always been not to rely on
th exit code but to parse the --status-fd messages. However it
is likely that gpgv is used in that simplified way and thus we
do this release. Same problem with "gpg --verify" but nobody
should have used this for signature verification without
checking the status codes anyway. [CVE-2006-0455]
- Added a test case for above vulnerability.
* debian/rules: Call the test suite during build. (Will fail the build
if the test suite fails.)
Files:
920f5d7352b83ed2ca3d92a637cd58d0 688 utils standard gnupg_1.4.2.1-0ubuntu1.dsc
59860f8bb0e4ddb3fdac55b4e2cbfa3f 4219980 utils standard gnupg_1.4.2.1.orig.tar.gz
10e044d35facad8f57db242257cce3bd 33178 utils standard gnupg_1.4.2.1-0ubuntu1.diff.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)
iD8DBQFD9aViDecnbV4Fd/IRAsDtAJ4wlvz0N6uPWzjk5gtqaESin9jcIQCfVvxf
JoFkWTFL1GVgRblAb9IVTFQ=
=HSxC
-----END PGP SIGNATURE-----
Accepted:
OK: gnupg_1.4.2.1-0ubuntu1.dsc
-> Component: main Section: utils
OK: gnupg_1.4.2.1.orig.tar.gz
OK: gnupg_1.4.2.1-0ubuntu1.diff.gz
More information about the dapper-changes
mailing list