Your message dated Sat, 15 Mar 2025 16:54:16 +0100
with message-id <[email protected]>
and subject line Re: Bug#822826: gpg: Insecure default cipher for --symmetric
has caused the Debian Bug report #822826,
regarding gpg: Insecure default cipher for --symmetric
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
822826: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=822826
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gpg
Version: gnupg
Severity: normal
Tags: security
Hello,
The default cipher in gpg and gpg2 for symmetric encryption is CAST-5. CAST-5
block size is 64 bits and the cipher is used in CFB mode. CFB mode in
vulnerable to a practical attack when the size of the ciphertext is close to
sqrt(block_size). In the case of CAST-5 as well as for Blowfish and 3DES it
happens when the message more than ~ 1 Go long.
The problem has been solved upstream and in sid but not in jessie.
The following commits are available in the Git repository of GnuPG:
* fc30a414d8d6586207444356ec270bd3fe0f6e68 for gpg;
* 57df1121c18b004dd763b35eabf7b51fc9e8ec38 for gpg2.
Have a nice day.
Piotr Chmielnicki
-- System Information:
Debian Release: 8.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
On 2016-04-27 Piotr Chmielnicki <[email protected]> wrote:
> Package: gpg
> Version: gnupg
> Severity: normal
> Tags: security
> Hello,
> The default cipher in gpg and gpg2 for symmetric encryption is CAST-5. CAST-5
> block size is 64 bits and the cipher is used in CFB mode. CFB mode in
> vulnerable to a practical attack when the size of the ciphertext is close to
> sqrt(block_size). In the case of CAST-5 as well as for Blowfish and 3DES it
> happens when the message more than ~ 1 Go long.
> The problem has been solved upstream and in sid but not in jessie.
> The following commits are available in the Git repository of GnuPG:
> * fc30a414d8d6586207444356ec270bd3fe0f6e68 for gpg;
> * 57df1121c18b004dd763b35eabf7b51fc9e8ec38 for gpg2.
[...]
Closing unversioned since both gnupg1 and gpg i.e v2) use AES by default
in Debian/stable.
cu Andreas
--- End Message ---
