popularity-contest

[ben darby]

* Derek Broughton wrote:
> Jeffrey F. Bloss wrote:
> 
> > There's no reason to go as far as China for real life examples of how
> > this sort of thing might be a problem. The version of GnuPG Ubuntu
> > distributes in their own repositories, for example, is horribly out of
> > date and known to have serious bugs. The CVE calls it a "remotely
> > controllable function pointer" issue...
> > 
> > http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000246.html
> > 
> > Painfully ironic as it is, by blabbing about your vulnerable copy of
> > GnuPG you're actually opening a piece of software you depend on for
> > *security* up to a wider audience of potential attackers, and giving
> 
> And you're absolutely sure that, just because Ubuntu's Gnupg is still
> v1.4.3, that it has that vulnerability?  The latest security update to
> gnupg in edgy-security is March 7, and while I don't have time to check,
> almost certainly backports fixes for all known vulnerabilities to that
> point.

https://lists.ubuntu.com/archives/ubuntu-security-announce/2006-December/000448.html

looks like it was patched the following day!

-- 
ben darby
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20070331/a989b726/attachment.sig>