oss-sec mailing list archives

Re: Many vulnerabilities in GnuPG

From: Jeffrey Walton <noloader () gmail com>
Date: Sun, 28 Dec 2025 19:23:04 -0500

On Sun, Dec 28, 2025 at 6:14 PM Sam James <sam () gentoo org> wrote:


[...]
Finally, to end the dump of what I know so far: Werner Koch has
published a response to the cleartext signature vulnerabilities:
https://gnupg.org/blog/20251226-cleartext-signatures.html.


Also see dkg's post from 2014 at
<https://dkg.fifthhorseman.net/notes/inline-pgp-harmful/>.  From the
article:

    People often suggest that inline PGP signatures in e-mail are somehow
    more compatible or more acceptable than using PGP/MIME. This is a
    mistake. Inline PGP signatures are prone to several failure modes, up
    to and including undetectable message tampering.

Jeff

Current thread:

Re: Many vulnerabilities in GnuPG, (continued)
- Re: Many vulnerabilities in GnuPG Stephan Verbücheln (Dec 28)
  - Re: Many vulnerabilities in GnuPG Andreas Metzler (Dec 29)
  - Re: Many vulnerabilities in GnuPG Peter Gutmann (Dec 29)
    - Re: Many vulnerabilities in GnuPG Demi Marie Obenour (Dec 30)
    - Re: Many vulnerabilities in GnuPG Peter Gutmann (Dec 30)
    - Re: Many vulnerabilities in GnuPG Henrik Ahlgren (Dec 30)
    - Re: Many vulnerabilities in GnuPG Collin Funk (Dec 30)
    - Re: Many vulnerabilities in GnuPG Peter Gutmann (Dec 31)
    - Re: Many vulnerabilities in GnuPG Jacob Bachmeyer (Dec 30)
- Re: Many vulnerabilities in GnuPG Sam James (Dec 28)
  - Re: Many vulnerabilities in GnuPG Jeffrey Walton (Dec 28)
  - Re: Many vulnerabilities in GnuPG Demi Marie Obenour (Dec 28)
    - Re: Many vulnerabilities in GnuPG Stephan Verbücheln (Dec 29)
    - Re: Many vulnerabilities in GnuPG Alan Coopersmith (Dec 30)
    - Re: Many vulnerabilities in GnuPG Neal Gompa (Dec 29)