--------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2006-185355 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185355 2006-03-28 --------------------------------------------------------------------- Name : gnupg Versions : rh73: gnupg-1.0.7-13.2.legacy Versions : rh9: gnupg-1.2.1-9.2.legacy Versions : fc1: gnupg-1.2.3-2.2.legacy Versions : fc2: gnupg-1.2.4-2.3.legacy Versions : fc3: gnupg-1.2.7-1.2.legacy Summary : A GNU utility for secure communication and data storage. Description : GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and creating digital signatures. GnuPG has advanced key management capabilities and is compliant with the proposed OpenPGP Internet standard described in RFC2440. Since GnuPG doesn't use any patented algorithm, it is not compatible with any version of PGP2 (PGP2.x uses only IDEA for symmetric-key encryption, which is patented worldwide). --------------------------------------------------------------------- Update Information: An updated GnuPG package that fixes signature verification flaws is now available. GnuPG is a utility for encrypting data and creating digital signatures. Tavis Ormandy discovered a bug in the way GnuPG verifies cryptographically signed data with detached signatures. It is possible for an attacker to construct a cryptographically signed message which could appear to come from a third party. When a victim processes a GnuPG message with a malformed detached signature, GnuPG ignores the malformed signature, processes and outputs the signed data, and exits with status 0, just as it would if the signature had been valid. In this case, GnuPG's exit status would not indicate that no signature verification had taken place. This issue would primarily be of concern when processing GnuPG results via an automated script. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0455 to this issue. Tavis Ormandy also discovered a bug in the way GnuPG verifies cryptographically signed data with inline signatures. It is possible for an attacker to inject unsigned data into a signed message in such a way that when a victim processes the message to recover the data, the unsigned data is output along with the signed data, gaining the appearance of having been signed. This issue is mitigated in the GnuPG shipped with Red Hat Enterprise Linux as the --ignore-crc-error option must be passed to the gpg executable for this attack to be successful. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0049 to this issue. Please note that neither of these issues affect the way RPM or up2date verify RPM package files, nor is RPM vulnerable to either of these issues. All users of GnuPG are advised to upgrade to this updated package, which contains backported patches to correct these issues. --------------------------------------------------------------------- Changelogs rh73: * Thu Mar 23 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 1.0.7-13.2.legacy - Added missing openldap-devel and zlib-devel to BuildPrereq * Wed Mar 15 2006 Donald Maner <donjr@xxxxxxxxx> 1.0.7-13.1.legacy - add patch from Werner Koch to error out on ambiguous armored signatures in message, with some more bits from Klaus Singvogel to handle argument parsing, backported (CVE-2006-0049, #185355) - add backport of patch from Werner Koch to fix the exit status when verifying signatures when no signature is provided (CVE-2006-0455, #185355) rh9: * Thu Mar 23 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 1.2.1-9.2.legacy - Added missing openldap to BuildPrereq * Wed Mar 15 2006 Donald Maner <donjr@xxxxxxxxx> 1.2.1-9.1.legacy - add patch from Werner Koch to error out on ambiguous armored signatures in message, with some more bits from Klaus Singvogel to handle argument parsing, backported (CVE-2006-0049, #185355) - add backport of patch from Werner Koch to fix the exit status when verifying signatures when no signature is provided (CVE-2006-0455, #185355) fc1: * Thu Mar 23 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 1.2.3-2.2.legacy - Added missing openldap-devel and zlib-devel to BuildPrereq * Wed Mar 15 2006 Donald Maner <donjr@xxxxxxxxx> 1.2.3-2.1.legacy - add patch from Werner Koch to error out on ambiguous armored signatures in message, with some more bits from Klaus Singvogel to handle argument parsing, backported (CVE-2006-0049, #185355) - add backport of patch from Werner Koch to fix the exit status when verifying signatures when no signature is provided (CVE-2006-0455, #185355) fc2: * Thu Mar 23 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 1.2.3-2.3.legacy - Added missing openldap-devel, bzip2-devel and zlib-devel to BuildPrereq * Wed Mar 15 2006 Donald Maner <donjr@xxxxxxxxx> 1.2.3-2.1.legacy - add patch from Werner Koch to error out on ambiguous armored signatures in message, with some more bits from Klaus Singvogel to handle argument parsing, backported (CVE-2006-0049, #185355) - add backport of patch from Werner Koch to fix the exit status when verifying signatures when no signature is provided (CVE-2006-0455, #185355) fc3: * Tue Mar 28 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 1.2.7-1.2.legacy - Added missing openldap-devel, bzip2-devel and zlib-devel to BuildPrereq * Wed Mar 15 2006 Donald Maner <donjr@xxxxxxxxx> 1.2.7-1.1.legacy - add patch from Werner Koch to error out on ambiguous armored signatures in message, with some more bits from Klaus Singvogel to handle argument parsing, backported (CVE-2006-0049, #185355) - add backport of patch from Werner Koch to fix the exit status when verifying signatures when no signature is provided (CVE-2006-0455, #185355) --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 86adcfed9761a1d962d9d941f580137ef9d9a2f2 redhat/7.3/updates-testing/i386/gnupg-1.0.7-13.2.legacy.i386.rpm f0dd605d899741889be374f7a23b1e1240462069 redhat/7.3/updates-testing/SRPMS/gnupg-1.0.7-13.2.legacy.src.rpm rh9: b551dcbc9739ca6af6ca175c61709d5a4209fee6 redhat/9/updates-testing/i386/gnupg-1.2.1-9.2.legacy.i386.rpm 937e799801ee740b3076aaf7bae40aedad8150bf redhat/9/updates-testing/SRPMS/gnupg-1.2.1-9.2.legacy.src.rpm fc1: 69c6c0d7cd4250e7e9ce1dc67ce4f3da3ee3b810 fedora/1/updates-testing/i386/gnupg-1.2.3-2.2.legacy.i386.rpm b0f065bc8326fdc3f842dbc368be479f5d6b27c0 fedora/1/updates-testing/SRPMS/gnupg-1.2.3-2.2.legacy.src.rpm fc2: 4c9c5887459282cf336cc18c161eb3a243ea4b6d fedora/2/updates-testing/i386/gnupg-1.2.4-2.3.legacy.i386.rpm ffdee44401e55625c991eb20a6fcf316f0fae7c9 fedora/2/updates-testing/SRPMS/gnupg-1.2.4-2.3.legacy.src.rpm fc3: 56347e77b9f310b8b9f13b5105f50720d114660f fedora/3/updates-testing/i386/gnupg-1.2.7-1.2.legacy.i386.rpm 42858f6256ed2aed3ebacaa1ea948ab245713ad6 fedora/3/updates-testing/x86_64/gnupg-1.2.7-1.2.legacy.x86_64.rpm 66087d787f7707eb181ceff7e37d3f2ca624201a fedora/3/updates-testing/SRPMS/gnupg-1.2.7-1.2.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list