SEC-2019-000 - Ticket #00000 - Framework Vulnerability

@miken32

It’s not clear to me what changes are being made to GPG.class.php and who’s making them.

Until I can get a working a framework module from Module Admin, I’m patching GPG.class.php to add the following to $fskeys:

‘593E5D6A7107C285E698CB563C355822CCEBF9CB’
‘C5C26167A09555DB29DA4ECF06C57CED5C2FE148’
‘EB312FC936875A7BC236DE6A36992456A6869B39’

and changing $keyservers to just:

“hkps://keys.openpgp.org”

and disabling module signature checking.

That gets a reload that completes in 3.25 seconds whether from the GUI or the CLI.

Okay… So is there anything to be done?
Because I am a bit lost,

I already got an email from my server that it updated this issue automatically, although this consents me a bit now,

I hope you can shed some light on my concerns,

Thanks you in advance

How about just getting rid of this signature feature. Someone here mentioned it was being considered or did I misunderstand? In my experience it causes more problems than it solves.

I am also seeing this on CE8. So I don’t think it’s just Debian.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.