Date: Sun, 31 Jul 2005 10:34:00 -0500 From: Jacques Vidrine <jacques@vidrine.us> To: Simon L.Nielsen <simon@FreeBSD.org> Cc: cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org, ports-committers@FreeBSD.org Subject: Re: cvs commit: ports/security/vuxml vuln.xml Message-ID: <0FD8500C-E0DE-4CB2-B7EF-DDCF5A7B754F@vidrine.us> In-Reply-To: <200507311323.j6VDNoTB070910@repoman.freebsd.org> References: <200507311323.j6VDNoTB070910@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jul 31, 2005, at 8:23 AM, Simon L. Nielsen wrote: > simon 2005-07-31 13:23:50 UTC > > FreeBSD ports repository > > Modified files: > security/vuxml vuln.xml > Log: > Document gnupg -- OpenPGP symmetric encryption vulnerability. > > Note: this is mainly a theoretical vulnerability. > > Revision Changes Path > 1.763 +38 -1 ports/security/vuxml/vuln.xml Thanks, Simon. Here are a couple of other points that this entry should maybe reflect: = Other software implementing OpenPGP is likely affected, e.g. the Perl Crypt::OpenPGP module (ports/security/p5-Crypt-OpenPGP) = GnuPG and others "resolved" this issue by disabling the "quick check" when using a session key derived from public key encryption. But the issue still exists when using symmetric encryption directly, e.g. with the `-c' or `--symmetric' flags to gpg. Of course in that case it is even less likely to affect a real world user. Cheers, -- Jacques A. Vidrine / NTT/Verio jacques@vidrine.us / jvidrine@verio.net / nectar@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0FD8500C-E0DE-4CB2-B7EF-DDCF5A7B754F>