SHARE
TWEET

Untitled

a guest May 14th, 2018 294 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. -----BEGIN PGP SIGNED MESSAGE-----
  2. Hash: SHA256
  3.  
  4. APPLE-SA-2018-05-14-1 AppleSecurityDocs 1.11.1
  5.  
  6. AppleSecurityDocs 1.11.1 should soon be available, addressesing the following:
  7.  
  8. Key ID
  9. Available for: Everyone
  10. Impact: An adversary can impersonate Apple's PGP identity.
  11. Description: The Apple Security PGP guide refers to Apple's PGP key [via its 32-bit short ID](http://archive.is/RHmB3#selection-533.8-532.1), leading researchers to direct GPG to download every key with the same short ID. The docs should be addressed to replace instances of short IDs with the respective long IDs.
  12. CVE-2018-4206: an anonymous researcher in control of the following PGP key: 0x2FD4817BCA4A0C42
  13.  
  14. Impact note:
  15.  
  16. While the full key and its fingerprint are available, many researchers use `gpg --recv-keys <KEY ID>` to download keys. Since the key ID provided by Apple's docs is only 32 bits, many researchers will end up instructing gpg to download any key that simply has the same ending.
  17.  
  18. As shown by evil32.com, while a short ID collision attack is very easy or an adversary to do, the impact can be devastating.
  19.  
  20. Updated information should be posted to the Apple Security
  21. web site: https://support.apple.com/kb/HT201214
  22.  
  23. This message is signed with Apple's Product Security PGP key,
  24. and details are available at:
  25. http://archive.today/2018.05.12-020427/https://support.apple.com/en-us/HT201214
  26. -----BEGIN PGP SIGNATURE-----
  27.  
  28. iQIzBAEBCAAdFiEEQ28p0Vg4RzucWiK8IP9XSzRstEYFAlr2TsEACgkQIP9XSzRs
  29. tEalLQ/9HBLCxPie9wM1DzsUckGw39n+ecFK0gFeOxAYN4SPszN42Ts7ABhTsDqM
  30. eOdydeSaXUDV14ApdT7xjO1w1VYcTJznBvmheLuv+RMJzsTbG2cJll23/p66yHpF
  31. AmqA7jWcy03DriPJjBRIJBX3U4A3QPraxLD51boT7Ng4ho2jr+abtDjzm5L2rM7R
  32. pk41N6Y6em4PqbT2sh1YKa/Js4tnkuUtAFilivV/APaJ7SQAP4dCwjQFPaLZR6ZA
  33. WMrOyYHCNLJW4CD6mfAKlyTJvgD5K8dumFPgQUL/cXE/Jw7VZlUiU1Qai7rpuPRh
  34. ZJSWQrKqXJVPNPdAE4T/IkCSN1mLlk3ydu9DBn3L23Aeq57j7MIXvnO3i42X5QT8
  35. fCR9eCj/XyZ+ytiy9EiIO6cqQdMN8AQ1e84ak3WamIx2vELM8sAQrHNYxPmPGuyJ
  36. k/g7lUCY+1aqhLfwuWiyEB13gdl+5ziAlpQG+V3Thv1JgyG6kiAxSuwmWyEkH6GV
  37. GVX5OMd422jWrQ4JFVY43YaTiCsT8RmN5MCfTzRx2EJj8lMEswB8PUrdsefbkH8s
  38. ZedsbCVlM0TzOQhfYLBPi/lOMuz0bI8Imrrq8qgN/5OPCixnHB64ZtDgeebdKYU2
  39. s/oNM+MgQLVNBSVgUedfAs/hnvE/5qyklddSFB+y0f4nzV81xCA=
  40. =EaUn
  41. -----END PGP SIGNATURE-----
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top