>Number:         12208
>Category:       pkg
>Synopsis:       gnupg-1.0.4 doesn't have security patches applied to it
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Feb 14 17:43:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     Berndt Josef Wulf
>Release:        NetBSD-1.5-alpha
>Organization:
NTC-Electroncis
>Environment:
NetBSD dingo 1.5 NetBSD 1.5 (GENERIC) #10: Wed Nov 22 03:00:56 PST 2000     root@frau-farbissina.shagadelic.org:/amd/swinger/u1/netbsd-1-5/src/sys/arch/alpha/compile/GENERIC alpha
>Description:
<quote>It has been pointed out that there is another bug in the signature verification code of GnuPG. This can easily lead to false positives. All versions of GnuPG released before today are vulnerable.
</quote>

The current package doesn't seem to apply these patche

>How-To-Repeat:
Read:

ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gnupg-1.0.4.security-patch1.diff


>Fix:
Apply

ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gnupg-1.0.4.security-patch1.diff


>Release-Note:
>Audit-Trail:
>Unformatted: