Hi Adam, On Fri, Sep 02, 2016 at 09:10:48PM +0100, Adam D. Barratt wrote: > Control: tags -1 - moreinfo > > On Fri, 2016-09-02 at 20:58 +0200, Cyril Brulebois wrote: > > Hi, > > > > Adam D. Barratt <a...@adam-barratt.org.uk> (2016-09-02): > > > On Thu, 2016-08-18 at 07:25 +0200, Salvatore Bonaccorso wrote: > > > > Control: retitle -1 jessie-pu: package gnupg/1.4.18-7+deb8u3 > > > > > > > > On Sun, Aug 14, 2016 at 03:58:28PM +0200, Salvatore Bonaccorso wrote: > > > > > I would like to propose the following hardening to src:gnupg which was > > > > > found during the analysis of a vulnerability report to the security > > > > > team > > > > > and related to > > > > > https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_razavi.pdf > > > > > and developed by NIIBE Yutaka. The underlying problem in hardware > > > > > cannot > > > > > be solved in software (and thus we don't want to issue a DSA for it, > > > > > and > > > > > give possibly this false impression), and as pointed out by Florian > > > > > there are some other open questions regarding the paper and the > > > > > attacks > > > > > described there. > > > [...] > > > > This all stil holds, but I have rebased the patch on top of the update > > > > via jessie-security. > > > > > > Overall I think I'm happy to trust the maintainers on this, but would > > > like a KiBi-ack due to d-i making use of at least gpgv. > > > > Yeah, looks sane enough; I'd be slightly happier if it could reach p-u > > sooner rather than later (ideally before the 8th), just to make sure > > nothing explodes within d-i. > > Thanks. Salvatore, please feel free to upload.
Thanks, uploaded! Regards, Salvatore
signature.asc
Description: PGP signature
