[Pkg-php-pecl] Bug#836557: php-mongodb: gpg short id used in script

D Haley mycae at gmx.com
Sat Sep 3 22:54:49 UTC 2016


Package: php-mongodb
Version: 1.1.7-2
Severity: important

Dear Maintainer,

Your package appears to contain commands which use a short gpg-key
ID. These have recently been identified as potential security concerns,
due to a chance that the wrong key can be imported in the case of a
forced key-ID collision [1].

The affected file is:
 /mongodb-1.1.7/scripts/ubuntu/mongo-orchestration.sh [2]

This is likely not be directly used by the debian component of the package,
so this bug may require forwarding upstream.

Please consider upgrading to a full key ID, for example, replace the command:

 gpg --keyserver <keyserver> --recv-keys <key_short_fingerprint> 

with

 gpg --keyserver  <keyserver> --recv-keys <key_full_id>

eg (not specific to your package):

 gpg --keyserver keyring.debian.org --recv-keys 05C3E651

becomes:

 gpg --keyserver keyring.debian.org --recv-keys 0x0D59D2B15144766A14D241C66BAF400B05C3E651


(Note the tail bytes are the same)

This has previously been forwarded to the security team, who advised to
report individual public bugs against each package - hence this bug.

[1] http://lwn.net/Articles/697417
[2] http://http.debian.net/debian/pool/main/p/php-mongodb/php-mongodb_1.1.7.orig.tar.gz 



More information about the Pkg-php-pecl mailing list