[pkg-gnupg-maint] Bug#834326: jessie-pu: package gnupg/1.4.18-7+deb8u2

Cyril Brulebois kibi at debian.org
Fri Sep 2 18:58:23 UTC 2016


Hi,

Adam D. Barratt <adam at adam-barratt.org.uk> (2016-09-02):
> On Thu, 2016-08-18 at 07:25 +0200, Salvatore Bonaccorso wrote:
> > Control: retitle -1 jessie-pu: package gnupg/1.4.18-7+deb8u3
> > 
> > On Sun, Aug 14, 2016 at 03:58:28PM +0200, Salvatore Bonaccorso wrote:
> > > I would like to propose the following hardening to src:gnupg which was
> > > found during the analysis of a vulnerability report to the security team
> > > and related to
> > > https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_razavi.pdf
> > > and developed by NIIBE Yutaka. The underlying problem in hardware cannot
> > > be solved in software (and thus we don't want to issue a DSA for it, and
> > > give possibly this false impression), and as pointed out by Florian
> > > there are some other open questions regarding the paper and the attacks
> > > described there.
> [...]
> > This all stil holds, but I have rebased the patch on top of the update
> > via jessie-security.
> 
> Overall I think I'm happy to trust the maintainers on this, but would
> like a KiBi-ack due to d-i making use of at least gpgv.

Yeah, looks sane enough; I'd be slightly happier if it could reach p-u
sooner rather than later (ideally before the 8th), just to make sure
nothing explodes within d-i.


KiBi.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20160902/fe34b07e/attachment-0001.sig>


More information about the pkg-gnupg-maint mailing list