[DRE-maint] Bug#940526: schleuder: vulnerable to signature-flooded keys

Georg Faerber georg at debian.org
Mon Sep 16 21:51:32 BST 2019

Package: schleuder
Version: 3.4.0-1
Forwarded: https://0xacab.org/schleuder/schleuder/merge_requests/291
Tags: fixed-upstream buster

Schleuder is vulnerable to signature-flooded keys.

GPG does not cope well with these keys. It will either refuse to import
them, or during and after the import become so slow to be effectively
unusable (while hogging CPUs). This is a potential problem for Schleuder
lists, because Schleuder by default regularly updates keys from the
keyservers (in order to receive extended expiry dates, or key
revocations). Any list with an attacked key in its keyring will become
practically unusable and strain the server.

It was decided upstream to drop third-party signatures on keys, before
importing the key into the keyring of the list. These signatures are not
really important, interesting or relevant in the context of Schleuder.

More information about the Pkg-ruby-extras-maintainers mailing list