[UPDATED] Fedora Legacy Test Update Notification: gnupg

Marc Deslauriers marcdeslauriers at videotron.ca
Sat Apr 1 21:46:12 UTC 2006 

The rh73 packages were updated to correct a broken info page.

---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-185355
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185355
2006-04-01
---------------------------------------------------------------------

Name        : gnupg
Versions    : rh73: gnupg-1.0.7-13.3.legacy
Versions    : rh9: gnupg-1.2.1-9.2.legacy
Versions    : fc1: gnupg-1.2.3-2.2.legacy
Versions    : fc2: gnupg-1.2.4-2.3.legacy
Versions    : fc3: gnupg-1.2.7-1.2.legacy
Summary     : A GNU utility for secure communication and data storage.
Description :
GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and
creating digital signatures. GnuPG has advanced key management
capabilities and is compliant with the proposed OpenPGP Internet
standard described in RFC2440. Since GnuPG doesn't use any patented
algorithm, it is not compatible with any version of PGP2 (PGP2.x uses
only IDEA for symmetric-key encryption, which is patented worldwide).

---------------------------------------------------------------------
Update Information:

An updated GnuPG package that fixes signature verification flaws is now
available.

GnuPG is a utility for encrypting data and creating digital signatures.

Tavis Ormandy discovered a bug in the way GnuPG verifies
cryptographically signed data with detached signatures. It is possible
for an attacker to construct a cryptographically signed message which
could appear to come from a third party. When a victim processes a GnuPG
message with a malformed detached signature, GnuPG ignores the malformed
signature, processes and outputs the signed data, and exits with status
0, just as it would if the signature had been valid. In this case,
GnuPG's exit status would not indicate that no signature verification
had taken place. This issue would primarily be of concern when
processing GnuPG results via an automated script. The Common
Vulnerabilities and Exposures project assigned the name CVE-2006-0455 to
this issue.

Tavis Ormandy also discovered a bug in the way GnuPG verifies
cryptographically signed data with inline signatures. It is possible for an
attacker to inject unsigned data into a signed message in such a way that
when a victim processes the message to recover the data, the unsigned data
is output along with the signed data, gaining the appearance of having been
signed. This issue is mitigated in the GnuPG shipped with Red Hat
Enterprise Linux as the --ignore-crc-error option must be passed to the gpg
executable for this attack to be successful. The Common Vulnerabilities and
Exposures project assigned the name CVE-2006-0049 to this issue.

Please note that neither of these issues affect the way RPM or up2date
verify RPM package files, nor is RPM vulnerable to either of these issues.

All users of GnuPG are advised to upgrade to this updated package, which
contains backported patches to correct these issues.


---------------------------------------------------------------------
Changelogs

rh73:
* Sat Apr 01 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
1.0.7-13.3.legacy
- Added missing texinfo to BuildPrereq

* Thu Mar 23 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
1.0.7-13.2.legacy
- Added missing openldap-devel and zlib-devel to BuildPrereq

* Wed Mar 15 2006 Donald Maner <donjr at maner.org> 1.0.7-13.1.legacy
- add patch from Werner Koch to error out on ambiguous armored signatures in
  message, with some more bits from Klaus Singvogel to handle argument
parsing,
  backported (CVE-2006-0049, #185355)
- add backport of patch from Werner Koch to fix the exit status when
verifying
  signatures when no signature is provided (CVE-2006-0455, #185355)

rh9:
* Thu Mar 23 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
1.2.1-9.2.legacy
- Added missing openldap to BuildPrereq

* Wed Mar 15 2006 Donald Maner <donjr at maner.org> 1.2.1-9.1.legacy
- add patch from Werner Koch to error out on ambiguous armored signatures in
  message, with some more bits from Klaus Singvogel to handle argument
parsing,
  backported (CVE-2006-0049, #185355)
- add backport of patch from Werner Koch to fix the exit status when
verifying
  signatures when no signature is provided (CVE-2006-0455, #185355)

fc1:
* Thu Mar 23 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
1.2.3-2.2.legacy
- Added missing openldap-devel and zlib-devel to BuildPrereq

* Wed Mar 15 2006 Donald Maner <donjr at maner.org> 1.2.3-2.1.legacy
- add patch from Werner Koch to error out on ambiguous armored signatures in
  message, with some more bits from Klaus Singvogel to handle argument
parsing,
  backported (CVE-2006-0049, #185355)
- add backport of patch from Werner Koch to fix the exit status when
verifying
  signatures when no signature is provided (CVE-2006-0455, #185355)

fc2:
* Thu Mar 23 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
1.2.3-2.3.legacy
- Added missing openldap-devel, bzip2-devel and zlib-devel to BuildPrereq

* Wed Mar 15 2006 Donald Maner <donjr at maner.org> 1.2.3-2.1.legacy
- add patch from Werner Koch to error out on ambiguous armored signatures in
  message, with some more bits from Klaus Singvogel to handle argument
parsing,
  backported (CVE-2006-0049, #185355)
- add backport of patch from Werner Koch to fix the exit status when
verifying
  signatures when no signature is provided (CVE-2006-0455, #185355)

fc3:
* Tue Mar 28 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
1.2.7-1.2.legacy
- Added missing openldap-devel, bzip2-devel and zlib-devel to BuildPrereq

* Wed Mar 15 2006 Donald Maner <donjr at maner.org> 1.2.7-1.1.legacy
- add patch from Werner Koch to error out on ambiguous armored signatures in
  message, with some more bits from Klaus Singvogel to handle argument
parsing,
  backported (CVE-2006-0049, #185355)
- add backport of patch from Werner Koch to fix the exit status when
verifying
  signatures when no signature is provided (CVE-2006-0455, #185355)


---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
8908e71fbca5c2bae5f3aadd774e42a49a5cb957
redhat/7.3/updates-testing/i386/gnupg-1.0.7-13.3.legacy.i386.rpm
dd9dc31630ca66faffb4f214f425b973cb3212cf
redhat/7.3/updates-testing/SRPMS/gnupg-1.0.7-13.3.legacy.src.rpm

rh9:
b551dcbc9739ca6af6ca175c61709d5a4209fee6
redhat/9/updates-testing/i386/gnupg-1.2.1-9.2.legacy.i386.rpm
937e799801ee740b3076aaf7bae40aedad8150bf
redhat/9/updates-testing/SRPMS/gnupg-1.2.1-9.2.legacy.src.rpm

fc1:
69c6c0d7cd4250e7e9ce1dc67ce4f3da3ee3b810
fedora/1/updates-testing/i386/gnupg-1.2.3-2.2.legacy.i386.rpm
b0f065bc8326fdc3f842dbc368be479f5d6b27c0
fedora/1/updates-testing/SRPMS/gnupg-1.2.3-2.2.legacy.src.rpm

fc2:
4c9c5887459282cf336cc18c161eb3a243ea4b6d
fedora/2/updates-testing/i386/gnupg-1.2.4-2.3.legacy.i386.rpm
ffdee44401e55625c991eb20a6fcf316f0fae7c9
fedora/2/updates-testing/SRPMS/gnupg-1.2.4-2.3.legacy.src.rpm

fc3:
56347e77b9f310b8b9f13b5105f50720d114660f
fedora/3/updates-testing/i386/gnupg-1.2.7-1.2.legacy.i386.rpm
42858f6256ed2aed3ebacaa1ea948ab245713ad6
fedora/3/updates-testing/x86_64/gnupg-1.2.7-1.2.legacy.x86_64.rpm
66087d787f7707eb181ceff7e37d3f2ca624201a
fedora/3/updates-testing/SRPMS/gnupg-1.2.7-1.2.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20060401/1b0922e2/attachment.sig>

More information about the fedora-legacy-list mailing list