Wouter Cloetens <[EMAIL PROTECTED]> writes: > Extra details on the bug report for gnupg-1.04-2 can be found > on http://www.securityfocus.com/bid/2797. Most distributions > appear to have reported a security alert, but all recommend > upgrading to 1.0.6. A backport for stable is in order, I > guess...
> Since 1.0.4-2 is in stable, with this bug, it should be fixed IMHO. With GnuPG 1.0.4, the web of trust can be compromised by an attacker, and there's a pretty severe problem with detached signature verification. You should not distribute this version. (I'm going to file a bug report soon.) -- Florian Weimer [EMAIL PROTECTED] University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
