Package: gnupg Version: 1.4.2-2 Severity: important Tags: security An exerpt from http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000211.html
When using any current version of GnuPG for unattended signature verification (e.g. by scripts and mail programs), false positive signature verification of detached signatures may occur. This problem affects the tool *gpgv*, as well as using "gpg --verify" to imitate gpgv, if only the exit code of the process is used to decide whether a detached signature is valid. This is a plausible mode of operation for gpgv. If, as suggested, the --status-fd generated output is used to decide whether a signature is valid, no problem exists. In particular applications making use of the GPGME library[2] are not affected. All versions of gnupg prior to 1.4.2.1 are affected if they are used in certain unattended operation modes. This issue has been assigned CVE ID: CVE-2006-0455, please use this in any changelogs which address this issue. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.15-1-686-smp Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages gnupg depends on: ii libbz2-1.0 1.0.3-2 high-quality block-sorting file co ii libc6 2.3.5-13 GNU C Library: Shared libraries an ii libldap2 2.1.30-12 OpenLDAP libraries ii libreadline5 5.1-6 GNU readline and history libraries ii libusb-0.1-4 2:0.1.11-4 userspace USB programming library ii makedev 2.3.1-80 creates device files in /dev ii zlib1g 1:1.2.3-9 compression library - runtime gnupg recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
