5907455 2000-12-29 15:42 -0200 /119 rader/ <secure@CONECTIVA.COM.BR> Sänt av: joel@lysator.liu.se Importerad: 2001-01-02 18:18 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: secure@CONECTIVA.COM.BR Mottagare: Bugtraq (import) <14549> Ärende: [CLA-2000:368] Conectiva Linux Security Announcement - gnupg ------------------------------------------------------------ From: secure@CONECTIVA.COM.BR To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <200012291742.PAA18002@frajuto.distro.conectiva> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : gnupg SUMMARY : Vulnerability with detached signatures and web of trust DATE : 2000-12-29 15:41:00 ID : CLA-2000:368 RELEVANT RELEASES : 4.0, 4.0es, 4.1, 4.2, 5.0, prg gráficos, ecommerce, 5.1, 6.0 - ------------------------------------------------------------------------- DESCRIPTION Two vulnerabilities were fixed in this new version of the gnupg package: 1) There was a problem with detached signatures checking. If the signature file was not a detached signature but just a signed file, gnupg would only check this signature file and not the file itself. Thus: gpg --verify signedfile.txt.asc myfile.tar.gz would only check signedfile.txt.asc and completely ignore myfile.tar.gz if signedfile.txt.asc were a signed file and not a detached signature, giving a dangerous false impression to the user that myfile.tar.gz was actually checked. 2) gnupg would also import private keys from keyservers and with the --import command line option. Since the corresponding public key would then be immediately trusted, this could be used by an attacker to circumvent the web of trust. SOLUTION All users should upgrade the gnupg package. Please note that there are some modifications to command-line options and that existing scripts which use gpg should be revised: 1) To make the --verify option accept data from stdin, a dash sign ("-") has to be added: gpg --verify signature.asc - < mydata 2) In order to import private keys, the option "--allow-secret-key-import" has to be added to the command-line. The updated package now has Conectiva's public GPG key. This key will be installed into root's public keyring upon installation of the updated gnupg package. DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/gnupg-1.0.4-5cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.0/i386/gnupg-1.0.4-5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/gnupg-1.0.4-5cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.0es/i386/gnupg-1.0.4-5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/gnupg-1.0.4-5cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.1/i386/gnupg-1.0.4-5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/gnupg-1.0.4-5cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.2/i386/gnupg-1.0.4-5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/gnupg-1.0.4-5cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/gnupg-1.0.4-5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/gnupg-1.0.4-5cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/gnupg-1.0.4-5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/gnupg-1.0.4-5cl.src.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/gnupg-1.0.4-5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/gnupg-1.0.4-5cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/gnupg-1.0.4-5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/gnupg-1.0.4-5cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/gnupg-1.0.4-5cl.i386.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades: - add the following line to /etc/apt/sources.list if it is not there yet (you may also use linuxconf to do this): rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://www.conectiva.com.br/suporte/atualizacoes - ------------------------------------------------------------------------- subscribe: atualizacoes-anuncio-subscribe@papaleguas.conectiva.com.br unsubscribe: atualizacoes-anuncio-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6TMz342jd0JmAcZARAu1VAKCxsk3gQ0sMjpyJWeq6DEJy1DVahwCgv3kr zclNhyndotRiy5Wgj9zVAn4= =haaU -----END PGP SIGNATURE----- (5907455) --------------------------------(Ombruten)