from gnupg.org:
Signature verification of non-detached signatures may give a positive
result but when extracting the signed data, this data may be prepended
or appended with extra data not covered by the signature. Thus it is
possible for an attacker to take any signed message and inject extra
arbitrary data.
The security issue is caused due to "gpgv" exiting with a return code
of 0 even if the detached signature file did not carry any signature.
This may result in certain scripts that use "gpgv" to conclude that
the signature is correctly verified.
More info: http://secunia.com/advisories/18845/
ok bernd@ pvalchev@
A bug was discovered in the key validation code. This bug causes keys
with more than one user ID to give all user IDs on the key the amount
of validity given to the most-valid key.
http://marc.theaimsgroup.com/?l=bugtraq&m=105215110111174&w=2
--
MAINTAINER ok
