* Martin Schulze: > Florian Weimer wrote: >> * Andreas Barth: >> >> > So, the only thing left now is pgp5i in non-US/non-free (and AFAICS this >> > can't go to non-free). >> >> What's the security patching status of pgp5i? > > What are you referring to?
I've checked in the meantime. The RNG issue has been been fixed, but the UID issues (see <http://www.bluering.nl/pgp/useridbug.txt>, for example) are not addressed. I haven't tested PGP 5, but the vulnerability is definitely present in other versions, even back to 2.6.3in, so it's unlikely that pgp5i is magically unaffected.
