* Fix OpenPGP Armor Header Line parsing in Dpkg::Control::Hash. We should only accept [\r\t ] as trailing whitespace, although RFC4880 does not clarify what whitespace really maps to, we should really match the GnuPG implementation anyway, as that's what we use to verify the signatures. Reported by Jann Horn <jann@thejh.net>. Fixes CVE-2015-0840.
Arch teams, please test and mark stable: =app-arch/dpkg-1.17.25 Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
C3 for now until more information is available as to the vulnerability.
amd64 stable
ia64 stable
x86 stable
sparc stable
CVE-2015-0840 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0840): The dpkg-source command in Debian dpkg before 1.16.16 and 1.17.x before 1.17.25 allows remote attackers to bypass signature verification via a crafted Debian source control file (.dsc).
ppc stable
Stable for PPC64.
alpha stable
arm stable. Maintainer(s), please cleanup. Security, please vote.
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No
NO too, closing.