After 2 more weeks (so that it is now 11 weeks)
without any response from HPLIP upstream
I still hope HPLIP upstream might finally get
a tiny bit of interest in solving their security issues.
From our (SUSE) security experts I got the following
suggested patch against the latest HPLIP 3.15.6:
==============================================================
--- hplip-3.15.6/base/validation.py
+++ hplip-3.15.6/base/validation.py
@@ -42,7 +42,7 @@ class DigiSign_Verification(object):
class GPG_Verification(DigiSign_Verification):
- def __init__(self, pgp_site = 'pgp.mit.edu', key = 0xA59047B9):
+ def __init__(self, pgp_site = 'pgp.mit.edu', key = 0x73D770CDA59047B9): self.__pgp_site = pgp_site
self.__key = key
self.__gpg = utils.which('gpg',True)
==============================================================
This should address this particular vulnerability (only).
Basically, use 0xlong key ID, short of shipping the key
or full fingerprint.
After 2 more weeks (so that it is now 11 weeks)
without any response from HPLIP upstream
I still hope HPLIP upstream might finally get
a tiny bit of interest in solving their security issues.
From our (SUSE) security experts I got the following ======= ======= ======= ======= ======= ======= ======= ====== 15.6/base/ validation. py 15.6/base/ validation. py Verification( object) :
suggested patch against the latest HPLIP 3.15.6:
=======
--- hplip-3.
+++ hplip-3.
@@ -42,7 +42,7 @@ class DigiSign_
class GPG_Verificatio n(DigiSign_ Verification) : 7B9):
self. __pgp_site = pgp_site 'gpg',True) ======= ======= ======= ======= ======= ======= ======= ======
- def __init__(self, pgp_site = 'pgp.mit.edu', key = 0xA59047B9):
+ def __init__(self, pgp_site = 'pgp.mit.edu', key = 0x73D770CDA5904
self.__key = key
self.__gpg = utils.which(
=======
This should address this particular vulnerability (only).
Basically, use 0xlong key ID, short of shipping the key
or full fingerprint.