Full Disclosure: Re: Using second gpg keyring may be misleading?

Re: Using second gpg keyring may be misleading?

From: Georgi Guninski <guninski () guninski com>
Date: Fri, 15 Jun 2012 16:42:55 +0300

On Thu, Jun 14, 2012 at 05:52:26PM +0000, Thor (Hammer of God) wrote:

What are you considering exploitable?  The untrusted/unverified "Master" key?


ubuntu fixed this out of paranoia:
https://lists.ubuntu.com/archives/ubuntu-security-announce/2012-June/001721.html

While it appears that a man-in-the-middle attacker cannot
exploit this, as a hardening measure this update adjusts apt-key to
validate all subkeys when checking for key collisions.


i would suppose this was exploitable while it was alive.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Using second gpg keyring may be misleading? Georgi Guninski (Jun 14)
- Re: Using second gpg keyring may be misleading? Thor (Hammer of God) (Jun 14)
  - Re: Using second gpg keyring may be misleading? Georgi Guninski (Jun 15)
    - Re: Using second gpg keyring may be misleading? Thor (Hammer of God) (Jun 15)