lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 17 Nov 2003 10:56:58 -0800
Subject: OpenLinux: Key validity bug in GnuPG 1.2.1 and earlier


Hash: SHA1


			SCO Security Advisory

Subject:		OpenLinux: Key validity bug in GnuPG 1.2.1 and earlier
Advisory number: 	CSSA-2003-034.0
Issue date: 		2003 November 17
Cross reference:	sr883602 fz528211 erg712405 CAN-2003-0255

1. Problem Description

	As part of the development of GnuPG 1.2.2, a bug was
	discovered in the key validation code. This bug causes keys
	with more than one user ID to give all user IDs on the key
	the amount of validity given to the most-valid key.

	CAN-2003-0255 The key validation code in GnuPG before 1.2.2
	does not properly determine the validity of keys with
	multiple user IDs and assigns the greatest validity of the
	most valid user ID, which prevents GnuPG from warning the
	encrypting user when a user ID does not have a trusted path.

	The Common Vulnerabilities and Exposures (CVE) project has
	assigned the name CAN-2003-0255 to this issue. This is a
	candidate for inclusion in the CVE list (,
	which standardizes names for security problems.

2. Vulnerable Supported Versions

	System				Package
	OpenLinux 3.1.1 Server		prior to gnupg-1.2.2-1.i386.rpm
	OpenLinux 3.1.1 Workstation	prior to gnupg-1.2.2-1.i386.rpm

3. Solution

	The proper solution is to install the latest packages. Many
	customers find it easier to use the Caldera System Updater, called
	cupdate (or kcupdate under the KDE environment), to update these
	packages rather than downloading and installing them by hand.

4. OpenLinux 3.1.1 Server

	4.1 Package Location

	4.2 Packages

	d6da27be5c407641dc29f753d96e41fc	gnupg-1.2.2-1.i386.rpm

	4.3 Installation

	rpm -Fvh gnupg-1.2.2-1.i386.rpm

	4.4 Source Package Location

	4.5 Source Packages

	b1ab55790186abd7997af751b3032721	gnupg-1.2.2-1.src.rpm

5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	5.2 Packages

	5469dcefe0be50d4d99d4b925a58d453	gnupg-1.2.2-1.i386.rpm

	5.3 Installation

	rpm -Fvh gnupg-1.2.2-1.i386.rpm

	5.4 Source Package Location

	5.5 Source Packages

	be6338d319f84f139e8363f64bc6673a	gnupg-1.2.2-1.src.rpm

6. References

	Specific references for this advisory:

	SCO security resources:

	This security fix closes SCO incidents sr883602 fz528211

7. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers intended
	to promote secure installation and use of SCO products.

8. Acknowledgements

	SCO would like to thank The GnuPG Team (David, Stefan, Timo and Werner)

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see


Powered by blists - more mailing lists