Package: dpkg Version: 1.21.13 Severity: serious Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Hi, dpkg 1.21.13 introduced passing "--openpgp" to GnuPG by default due to some conflict between the dpkg maintainer and gnupg upstream. This causes GnuPG to use insecure cryptographic algorithms like the SHA-1 digest algorithm by default. Please revert https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?h=1.21.13&id=b83114daa69c50d368199d00fbb67e190068b273 I do not think that cryptographic default from over 15 years ago are a good default choice today; rather they are a security issue (just like, for example, reverting to using SSL3 instead of TLS1.3). Ansgar -- Package-specific info: This system uses merged-usr-via-aliased-dirs, going behind dpkg's back, breaking its core assumptions. This can cause silent file overwrites and disappearances, and its general tools misbehavior. See <https://wiki.debian.org/Teams/Dpkg/FAQ#broken-usrmerge>. I think this message should be removed as it confuses users.
