Updated cure53 Security Audit 2015 (markdown)

Dominik Schürmann 2015-11-05 16:56:18 +01:00
parent de963b68aa
commit fa9fcb3528
1 changed files with 2 additions and 2 deletions

@ -1,6 +1,6 @@
The Security Audit can be downloaded at https://cure53.de/pentest-report_openkeychain.pdf The Security Audit can be downloaded at https://cure53.de/pentest-report_openkeychain.pdf
All identified vulnerabilities has been discussed with cure53 and fixed in OpenKeychain 3.6. Only OKC-01-006 has not been fixed because it is not in our threat model. We will work on two Miscellaneous Issues (not vulnerabilities) for a future version of OpenKeychain. All identified vulnerabilities has been discussed with cure53 and fixed in OpenKeychain 3.6. Only OKC-01-006 has not been fixed because it is not in our threat model. We will work on two "Miscellaneous Issues" (not vulnerabilities) for a future version of OpenKeychain.
## Identified Vulnerabilities ## Identified Vulnerabilities
### OKC-01-001 Private Keys can be imported from Keyserver (Medium) ### OKC-01-001 Private Keys can be imported from Keyserver (Medium)
@ -73,7 +73,7 @@ FIXED IN:
see OKC-01-015 see OKC-01-015
### OKC-01-018 Key Server Verification Bypass via HTTP Redirect (Medium) ### OKC-01-018 Key Server Verification Bypass via HTTP Redirect (Medium)
OpenKeychain we now disallow all redirects, a warning is now shown when a keyserver is added without a pinned certificate, users needs to uncheck "only trusted keyserver" to get past the warning. We pinned sks-keyserver, pgp.mit.edu, keybase.io. We now disallow all redirects, a warning is now shown when a keyserver is added without a pinned certificate, users needs to uncheck "only trusted keyserver" to get past the warning. We pinned sks-keyserver, pgp.mit.edu, keybase.io.
FIXED IN FIXED IN
* https://github.com/open-keychain/open-keychain/commit/0b181743a3d6b1423e112b17a400b5ac4ac09bcb * https://github.com/open-keychain/open-keychain/commit/0b181743a3d6b1423e112b17a400b5ac4ac09bcb