diff options
| author | simon <simon@FreeBSD.org> | 2006-02-17 17:53:58 +0800 |
|---|---|---|
| committer | simon <simon@FreeBSD.org> | 2006-02-17 17:53:58 +0800 |
| commit | d90e8297624e645b5d6f580ba98ffe7369807ef4 (patch) | |
| tree | 62de3ca156f5181a0d235757383eaaa2c593ed79 /security/vuxml | |
| parent | e49fae8fa8310d3e66d04de2507e17c20bc0d519 (diff) | |
| download | freebsd-ports-gnome-d90e8297624e645b5d6f580ba98ffe7369807ef4.tar.gz freebsd-ports-gnome-d90e8297624e645b5d6f580ba98ffe7369807ef4.tar.zst freebsd-ports-gnome-d90e8297624e645b5d6f580ba98ffe7369807ef4.zip | |
Document gnupg -- false positive signature verification.
Diffstat (limited to 'security/vuxml')
| -rw-r--r-- | security/vuxml/vuln.xml | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 917864722628..8bd88286cf0f 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -34,6 +34,45 @@ Note: Please add new entries to the beginning of this file. --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="63fe4189-9f97-11da-ac32-0001020eed82"> + <topic>gnupg -- false positive signature verification</topic> + <affects> + <package> + <name>gnupg</name> + <range><lt>1.4.2.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Werner Koch reports:</p> + <blockquote cite="http://marc.theaimsgroup.com/?l=gnupg-devel&m=113999098729114"> + <p>The Gentoo project identified a security related bug in + GnuPG. When using any current version of GnuPG for + unattended signature verification (e.g. by scripts and + mail programs), false positive signature verification of + detached signatures may occur.</p> + <p>This problem affects the tool *gpgv*, as well as using + "gpg --verify" to imitate gpgv, if only the exit code of + the process is used to decide whether a detached signature + is valid. This is a plausible mode of operation for + gpgv.</p> + <p>If, as suggested, the --status-fd generated output is + used to decide whether a signature is valid, no problem + exists. In particular applications making use of the + GPGME library[2] are not affected.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2006-0455</cvename> + <mlist msgid="87u0b1xdru.fsf@wheatstone.g10code.de">http://marc.theaimsgroup.com/?l=gnupg-devel&m=113999098729114</mlist> + </references> + <dates> + <discovery>2006-02-15</discovery> + <entry>2006-02-17</entry> + </dates> + </vuln> + <vuln vid="e34d0c2e-9efb-11da-b410-000e0c2e438a"> <topic>rssh -- privilege escalation vulnerability</topic> <affects> |