Package: sbsigntool
Version: 0.9.4-3.2
Severity: important

Dear Maintainer,

there is a nasty and longstanding bug in sbverify: Verification of
intermediate certificates returns true, even if there's no match, even
if no signer's certificate was passed at all.

In unstable, this was fixed in 0.9.4-6:

|   * Add patch from upstream to fix certificate validation with
|     intermediates.

In my opinion, this should be addressed in stable as well (actually also
oldstable but bookworm already moved to the downstream distribution).

Kind regards,

    Christoph

-- System Information:
Debian Release: 13.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'stable'), (1, 'proposed-updates')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.94 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sbsigntool depends on:
ii  libc6       2.41-12+deb13u3
ii  libssl3t64  3.5.6-1~deb13u2
ii  libuuid1    2.41-5

sbsigntool recommends no packages.

sbsigntool suggests no packages.

-- no debconf information

Attachment: signature.asc
Description: PGP signature

Reply via email to