Security flaw in PGPverify of INN
Lutz Donnerhacke
lutz at IKS-JENA.DE
Wed Oct 15 01:23:53 PDT 1997
Hi,
I was urged to send you the following information. I noticed CERT and tale
itself. But tale claims that the problem is not a problem of pgpverify, it's
a problem of some krauts trying to send checkgroups monthly using a bot.
The checkgroups mentioned were send since a year. They do not include Date:
and Message-ID: because these values were not predictable by the human
signer and the bot does not know the passphrase to work with.
In consequence there are checkgroups out there which can be resend at any
time causing a lot of trouble, because the signature is still valid even if
a new Message-ID: and Date: line are used.
The obvious fix is to modify pgpverify to block such control messages.
ftp://ftp.iks-jena.de/pub/mitarb/lutz/ contains the necessary fixes.
HTH
Content-Type: application/pgp-signature
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hqx00000.hqx
Type: application/octet-stream
Size: 512 bytes
Desc: "Untitled"
URL: <https://lists.cpunks.org/pipermail/cypherpunks-legacy/attachments/19971015/3f8d21b9/attachment.obj>
More information about the cypherpunks-legacy
mailing list