* Ian Beckwith: > On Sat, Aug 07, 2004 at 09:17:38PM +0200, Florian Weimer wrote: >> Both PGP 5 and 6.5 have security issues which haven't been fixed >> upstream (because there isn't any upstream anymore). There are some >> pirated versions of 6.5.8 that incorporate fixes, but Debian certainly >> shouldn't encourage distribution of them. > > Hmm. > > Do you have links to documentation of these issues
IIRC, there's a buffer overflow in the UID handling that has never been published. Then there's the Klima-Rosa attack, the lack of an MDC (Modification Detection Code), and one or more user ID handling bugs (see <http://www.bluering.nl/pgp/useridbug.txt>). I once worked on an OpenPGP implementation vulnerability matrix, but this topic isn't very interesting anymore. For me at least, there's just GnuPG. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]