Updated cure53 Security Audit 2015 (markdown)

Dominik Schürmann 2015-10-23 10:41:15 +02:00
parent d2dc3549d7
commit ec7aa04984
1 changed files with 3 additions and 0 deletions

@ -1,5 +1,6 @@
Audit can be downloaded at https://cure53.de/pentest-report_openkeychain.pdf Audit can be downloaded at https://cure53.de/pentest-report_openkeychain.pdf
All identified vulnerabilities has been discussed with cure53 and fixed in OpenKeychain 3.6. Only OKC-01-006 has not been fixed because it is not in our threat model. We will work on two Miscellaneous Issues (not vulnerabilities!) for a future version of OpenKeychain.
## Identified Vulnerabilities ## Identified Vulnerabilities
### OKC-01-001 Private Keys can be imported from Keyserver (Medium) ### OKC-01-001 Private Keys can be imported from Keyserver (Medium)
@ -33,6 +34,8 @@ https://github.com/open-keychain/open-keychain/commit/57a04cb8a14a4777a3d77a9295
### OKC-01-011 Unconfirmed Main Identities are shown as confirmed (Low) ### OKC-01-011 Unconfirmed Main Identities are shown as confirmed (Low)
Confirmed identities (if they exist) are now prioritized over non-confirmed ones. Confirmed identities (if they exist) are now prioritized over non-confirmed ones.
FIXED IN
* https://github.com/open-keychain/open-keychain/commit/486117d9de8618c1ecfb2a592c781fc43f1cc886 * https://github.com/open-keychain/open-keychain/commit/486117d9de8618c1ecfb2a592c781fc43f1cc886
### OKC-01-012 Database Extraction possible via Version Downgrade (Medium) ### OKC-01-012 Database Extraction possible via Version Downgrade (Medium)