Hi Daniel, On Tue, Feb 17, 2015 at 12:26:51PM -0500, Daniel Kahn Gillmor wrote: > On Tue 2015-02-17 00:27:20 -0500, Salvatore Bonaccorso wrote: > > Control: fixed -1 2.1.2-1 > > > > Hi Daniel, > > > > On Mon, Feb 16, 2015 at 06:09:18PM -0500, Daniel Kahn Gillmor wrote: > >> Several coding errors were discovered in GnuPG 2.0 lately by Hanno Böck > >> as part of the Fuzzing Project: > > > > Have you checked if gnupg 1.4.x is also affected by both of these > > CVEs? We have marked gnupg as "undetermined" so far in the > > security-tracker. > > Yes, gpg 1.4.x is also affected. In particular, CVE-2015-1606 is known > to affect it. The demonstration vector we have for CVE-2015-1607 is a > keybox file, which is not supported by gpg 1.4.x, but the underlying fix > (normalizing bitshift operations) seems like it should apply to 1.4.x as > well.
Thanks, I'm updating the security tracker information right now. > I'm not sure how to represent this in the BTS; should i clone this and > reassign it to the gnupg package, or is there a way to make this bug > report apply to both gnupg and gnupg2? Yes, just clone this bug, reassign to src:gnupg and mark found versions. Thank you for your quick reply and confirmation! Regards, Salvatore -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
