From ec7aa04984092f75b393ac94291a106abf5efce7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominik=20Sch=C3=BCrmann?= Date: Fri, 23 Oct 2015 10:41:15 +0200 Subject: [PATCH] Updated cure53 Security Audit 2015 (markdown) --- cure53-Security-Audit-2015.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cure53-Security-Audit-2015.md b/cure53-Security-Audit-2015.md index 0152ceb..d87b55b 100644 --- a/cure53-Security-Audit-2015.md +++ b/cure53-Security-Audit-2015.md @@ -1,5 +1,6 @@ Audit can be downloaded at https://cure53.de/pentest-report_openkeychain.pdf +All identified vulnerabilities has been discussed with cure53 and fixed in OpenKeychain 3.6. Only OKC-01-006 has not been fixed because it is not in our threat model. We will work on two Miscellaneous Issues (not vulnerabilities!) for a future version of OpenKeychain. ## Identified Vulnerabilities ### OKC-01-001 Private Keys can be imported from Keyserver (Medium) @@ -33,6 +34,8 @@ https://github.com/open-keychain/open-keychain/commit/57a04cb8a14a4777a3d77a9295 ### OKC-01-011 Unconfirmed Main Identities are shown as confirmed (Low) Confirmed identities (if they exist) are now prioritized over non-confirmed ones. + +FIXED IN * https://github.com/open-keychain/open-keychain/commit/486117d9de8618c1ecfb2a592c781fc43f1cc886 ### OKC-01-012 Database Extraction possible via Version Downgrade (Medium)