Fixes CVE-2018-1000858: Cross Site Request Forgery with arbitrary HTTPS
GET requests via HTTP redirect.
https://sektioneins.de/en/advisories/advisory-012018-gnupg-wkd.html
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-12020: Unsanitized file names might cause injection of
terminal control characters into the status output of gnupg.
Cc: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-9234: Unenforced configuration allows for apparently
valid certifications actually signed by signing subkeys.
Remove --disable-doc from configure options. We pass this options to all
autotools packages.
Cc: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Switch to https download for firewall compatibility and security.
As upstream now defaults to 'gpg' for the main binary name, keep the
'gpg2' name as in previous releases, to avoid conflict with the gnupg
package.
Cc: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2015-1606: Use after free, resulting from failure to skip invalid packets
CVE-2015-1607: memcpy with overlapping ranges, resulting from incorrect
bitwise left shifts
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
