[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[suse-security] Re: SUSE Security Announcement: gpg,liby2util signature checking problems (SUSE-SA:2006:013)
On Monday 06 March 2006 18:19, Markus Gaugusch wrote:
> On Mar 6, Malte Gell <malte.gell@xxxxxx> wrote:
> > Has there ever been evidene that
> > someone made use of this terribly severe bug?
> I don't think so. Luckily, fou4s  has not used the return value at
> all during the past 3 years. It used the text output of the gpg
> --verify command and was therefore immune to that problem.
Are you sure, the --verify command was not vulnerable? I thought only
--status-fd gave the correct result...?
> This also
> proofs that at least on the common mirrors (ftp.gwdg.de, sometimes
> ftp.leo.org I think, and lately also suse.inode.at) no manipulated
> package were placed.
Why is this a matter of what mirror one choses? I thought it´s only a
matter of how YOU or your fou4s checks the signatures?
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here