lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon Mar 13 14:27:50 2006
From: martin.pitt at canonical.com (Martin Pitt)
Subject: [USN-264-1] gnupg vulnerability

===========================================================
Ubuntu Security Notice USN-264-1	     March 13, 2006
gnupg vulnerability
CVE-2006-0049
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

gnupg

The problem can be corrected by upgrading the affected package to
version 1.2.4-4ubuntu2.3 (for Ubuntu 4.10), 1.2.5-3ubuntu5.3 (for
Ubuntu 5.04), or 1.4.1-1ubuntu1.2 (for Ubuntu 5.10).  In general, a
standard system upgrade is sufficient to effect the necessary changes.

Details follow:

Tavis Ormandy discovered a flaw in gnupg's signature verification. In
some cases, certain invalid signature formats could cause gpg to
report a 'good signature' result for auxiliary unsigned data which was
prepended or appended to the checked message part.


Updated packages for Ubuntu 4.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.3.diff.gz
      Size/MD5:    60031 fc55a23607cfac514084704155760cc8
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.3.dsc
      Size/MD5:      621 c0d08dda5a9b2bd3f130b94784082dc5
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4.orig.tar.gz
      Size/MD5:  3451202 adfab529010ba55533c8e538c0b042a2

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.3_amd64.deb
      Size/MD5:  1722782 8556e99b322bdf18ef7bad54329410df

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.3_i386.deb
      Size/MD5:  1667764 410203ad10b3eb99997faa56950958af

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.3_powerpc.deb
      Size/MD5:  1721814 c6038008b123518fbf75f8547e1619a5

Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.3.diff.gz
      Size/MD5:    66069 42bba8259f5a074b89da1bb422889f1b
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.3.dsc
      Size/MD5:      654 5930a6888f76f726ea7076eff76f14e9
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5.orig.tar.gz
      Size/MD5:  3645308 9109ff94f7a502acd915a6e61d28d98a

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.3_amd64.deb
      Size/MD5:   805910 4d69ba91dd0d2c79b54725d1bd139923
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.2.5-3ubuntu5.3_amd64.udeb
      Size/MD5:   146442 a603783255829e50e444e859321e0001

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.3_i386.deb
      Size/MD5:   750516 f8d97e8702866e76ba7b6ea5f946c4f0
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.2.5-3ubuntu5.3_i386.udeb
      Size/MD5:   121348 1feb52e0c56d73302477a99569147519

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.3_powerpc.deb
      Size/MD5:   806396 36ba1f3473c45060151e8f2089261172
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.2.5-3ubuntu5.3_powerpc.udeb
      Size/MD5:   135406 a92ce4e3384f840cf48dc50de94c9d8d

Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.2.diff.gz
      Size/MD5:    20510 acff054f7255a23ce8cd7595a68ca2b8
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.2.dsc
      Size/MD5:      684 70749478363ef5374259a66ef5517bb7
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1.orig.tar.gz
      Size/MD5:  4059170 1cc77c6943baaa711222e954bbd785e5

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.2_amd64.deb
      Size/MD5:  1136048 31643c8b2e3cfcd8774ad17ceb5e8e0c
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.2_amd64.udeb
      Size/MD5:   152158 b7b70b5ee13b46854b9383b2a280aea0

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.2_i386.deb
      Size/MD5:  1044172 cdf0e85e58ba4b760741a72c5c7e6603
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.2_i386.udeb
      Size/MD5:   130664 2719e86828d066102cade3457de20a6a

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.2_powerpc.deb
      Size/MD5:  1119252 208607aed4a4b0a4e27dc503e3c2147c
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.2_powerpc.udeb
      Size/MD5:   140140 85387ea67c3ab38f50641fdbfb124ede
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060313/5943938f/attachment.bin

Powered by blists - more mailing lists