GnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from the command line, does not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components, which might allow remote attackers to forge the contents of a message without detection.
i don't consider this bug as a security issue, whereas Debian has marked it "high" is sarge: "gnupg (1.4.1-1.sarge7) stable-security; urgency=high"
I arbitrarily myself take the selfish decision to reassign this to the maintainer/herd
OK. We have gnupg-1.4.7 and gpgme-1.1.4 in tree. We will wait for a few weeks and request stable. security: Please drop a not if you think it should be done quicker.
(In reply to comment #3) > > security: Please drop a not if you think it should be done quicker. > Thanks Alon, i don't think that merits a security timeframe escalation. With a backport/patch i would have said "stabilize it", but here i agree with waiting a few moments. I'm closing the bug then. Feel free to reopen if you disagree.
I strongly disagree with Raphael that this sort of message manipulation is a minor issue. Please prepare for stabilizing asap.
I tend to agree with Carlo on this one. Security any other opinions?
Hm, seeing that you stabilize 1.4.7-r1 I have to tell that this does not suffice. according to this¹ source gnupg 2.0.3 has to go stable, too. [1] http://www.heise-security.co.uk/news/86299
We cannot have gnupg-2.X stable until we resolve some issues. bug#159851, where bug#159870 is the most critical.
All dependencies are waiting for stable, nothing I can do here...
gnupg-2.0.7 stable everywhere but on mips (surprise :P) - Bug 202158 , ditto for gpgme-1.1.5 - Bug 198656. security doesn't want this bug, closing. Reopen if you disagree.