From owner-cvs-all@FreeBSD.ORG  Sun Jul 31 15:34:08 2005
Return-Path: <owner-cvs-all@FreeBSD.ORG>
X-Original-To: cvs-all@FreeBSD.org
Delivered-To: cvs-all@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C1B0B16A41F;
	Sun, 31 Jul 2005 15:34:08 +0000 (GMT)
	(envelope-from jacques@vidrine.us)
Received: from gw.celabo.org (gw.celabo.org [208.42.49.153])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4A05D43D46;
	Sun, 31 Jul 2005 15:34:08 +0000 (GMT)
	(envelope-from jacques@vidrine.us)
Received: from gw.celabo.org (localhost [127.0.0.1])
	by internal.gw.celabo.org (Postfix) with ESMTP id 32C20DF2E2B;
	Sun, 31 Jul 2005 10:34:07 -0500 (CDT)
Received: from lum.celabo.org (lum.celabo.org [10.0.1.107])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK))
	by gw.celabo.org (Postfix) with ESMTP id 2CC38DF2E11;
	Sun, 31 Jul 2005 10:34:07 -0500 (CDT)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by lum.celabo.org (Postfix) with ESMTP id E007A20882D;
	Sun, 31 Jul 2005 10:34:01 -0500 (CDT)
In-Reply-To: <200507311323.j6VDNoTB070910@repoman.freebsd.org>
References: <200507311323.j6VDNoTB070910@repoman.freebsd.org>
Mime-Version: 1.0 (Apple Message framework v733)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <0FD8500C-E0DE-4CB2-B7EF-DDCF5A7B754F@vidrine.us>
Content-Transfer-Encoding: 7bit
From: Jacques Vidrine <jacques@vidrine.us>
Date: Sun, 31 Jul 2005 10:34:00 -0500
To: Simon L.Nielsen <simon@FreeBSD.org>
X-Mailer: Apple Mail (2.733)
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on 
	hellblazer.celabo.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 
	autolearn=ham version=3.0.3
Cc: cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org, ports-committers@FreeBSD.org
Subject: Re: cvs commit: ports/security/vuxml vuln.xml
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Jul 2005 15:34:09 -0000


On Jul 31, 2005, at 8:23 AM, Simon L. Nielsen wrote:

> simon       2005-07-31 13:23:50 UTC
>
>   FreeBSD ports repository
>
>   Modified files:
>     security/vuxml       vuln.xml
>   Log:
>   Document gnupg -- OpenPGP symmetric encryption vulnerability.
>
>   Note: this is mainly a theoretical vulnerability.
>
>   Revision  Changes    Path
>   1.763     +38 -1     ports/security/vuxml/vuln.xml

Thanks, Simon.  Here are a couple of other points that this entry  
should maybe reflect:

   = Other software implementing OpenPGP is likely affected, e.g. the  
Perl Crypt::OpenPGP module  (ports/security/p5-Crypt-OpenPGP)

   = GnuPG and others "resolved" this issue by disabling the "quick  
check" when using a session key derived from public key encryption.   
But the issue still exists when using symmetric encryption directly,  
e.g. with the `-c' or `--symmetric' flags to gpg.  Of course in that  
case it is even less likely to affect a real world user.

Cheers,
-- 
Jacques A. Vidrine / NTT/Verio
jacques@vidrine.us / jvidrine@verio.net / nectar@freebsd.org