[UPDATED] Fedora Legacy Test Update Notification: gnupg
The rh73 packages were updated to correct a broken info page. - Fedora Legacy Test Update Notification FEDORALEGACY-2006-185355 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185355 2006-04-01 - Name: gnupg Versions: rh73: gnupg-1.0.7-13.3.legacy Versions: rh9: gnupg-1.2.1-9.2.legacy Versions: fc1: gnupg-1.2.3-2.2.legacy Versions: fc2: gnupg-1.2.4-2.3.legacy Versions: fc3: gnupg-1.2.7-1.2.legacy Summary : A GNU utility for secure communication and data storage. Description : GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and creating digital signatures. GnuPG has advanced key management capabilities and is compliant with the proposed OpenPGP Internet standard described in RFC2440. Since GnuPG doesn't use any patented algorithm, it is not compatible with any version of PGP2 (PGP2.x uses only IDEA for symmetric-key encryption, which is patented worldwide). - Update Information: An updated GnuPG package that fixes signature verification flaws is now available. GnuPG is a utility for encrypting data and creating digital signatures. Tavis Ormandy discovered a bug in the way GnuPG verifies cryptographically signed data with detached signatures. It is possible for an attacker to construct a cryptographically signed message which could appear to come from a third party. When a victim processes a GnuPG message with a malformed detached signature, GnuPG ignores the malformed signature, processes and outputs the signed data, and exits with status 0, just as it would if the signature had been valid. In this case, GnuPG's exit status would not indicate that no signature verification had taken place. This issue would primarily be of concern when processing GnuPG results via an automated script. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0455 to this issue. Tavis Ormandy also discovered a bug in the way GnuPG verifies cryptographically signed data with inline signatures. It is possible for an attacker to inject unsigned data into a signed message in such a way that when a victim processes the message to recover the data, the unsigned data is output along with the signed data, gaining the appearance of having been signed. This issue is mitigated in the GnuPG shipped with Red Hat Enterprise Linux as the --ignore-crc-error option must be passed to the gpg executable for this attack to be successful. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0049 to this issue. Please note that neither of these issues affect the way RPM or up2date verify RPM package files, nor is RPM vulnerable to either of these issues. All users of GnuPG are advised to upgrade to this updated package, which contains backported patches to correct these issues. - Changelogs rh73: * Sat Apr 01 2006 Marc Deslauriers [EMAIL PROTECTED] 1.0.7-13.3.legacy - Added missing texinfo to BuildPrereq * Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED] 1.0.7-13.2.legacy - Added missing openldap-devel and zlib-devel to BuildPrereq * Wed Mar 15 2006 Donald Maner [EMAIL PROTECTED] 1.0.7-13.1.legacy - add patch from Werner Koch to error out on ambiguous armored signatures in message, with some more bits from Klaus Singvogel to handle argument parsing, backported (CVE-2006-0049, #185355) - add backport of patch from Werner Koch to fix the exit status when verifying signatures when no signature is provided (CVE-2006-0455, #185355) rh9: * Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED] 1.2.1-9.2.legacy - Added missing openldap to BuildPrereq * Wed Mar 15 2006 Donald Maner [EMAIL PROTECTED] 1.2.1-9.1.legacy - add patch from Werner Koch to error out on ambiguous armored signatures in message, with some more bits from Klaus Singvogel to handle argument parsing, backported (CVE-2006-0049, #185355) - add backport of patch from Werner Koch to fix the exit status when verifying signatures when no signature is provided (CVE-2006-0455, #185355) fc1: * Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED] 1.2.3-2.2.legacy - Added missing openldap-devel and zlib-devel to BuildPrereq * Wed Mar 15 2006 Donald Maner [EMAIL PROTECTED] 1.2.3-2.1.legacy - add patch from Werner Koch to error out on ambiguous armored signatures in message, with some more bits from Klaus Singvogel to handle argument parsing, backported (CVE-2006-0049, #185355) - add backport of patch from Werner Koch to fix the exit status when verifying signatures when no signature is provided (CVE-2006-0455, #185355) fc2: * Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED] 1.2.3-2.3.legacy - Added missing openldap-devel, bzip2-devel and zlib-devel to BuildPrereq * Wed Mar 15 2006 Donald Maner
Fedora Legacy Test Update Notification: gnupg
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-185355 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185355 2006-03-28 - Name: gnupg Versions: rh73: gnupg-1.0.7-13.2.legacy Versions: rh9: gnupg-1.2.1-9.2.legacy Versions: fc1: gnupg-1.2.3-2.2.legacy Versions: fc2: gnupg-1.2.4-2.3.legacy Versions: fc3: gnupg-1.2.7-1.2.legacy Summary : A GNU utility for secure communication and data storage. Description : GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and creating digital signatures. GnuPG has advanced key management capabilities and is compliant with the proposed OpenPGP Internet standard described in RFC2440. Since GnuPG doesn't use any patented algorithm, it is not compatible with any version of PGP2 (PGP2.x uses only IDEA for symmetric-key encryption, which is patented worldwide). - Update Information: An updated GnuPG package that fixes signature verification flaws is now available. GnuPG is a utility for encrypting data and creating digital signatures. Tavis Ormandy discovered a bug in the way GnuPG verifies cryptographically signed data with detached signatures. It is possible for an attacker to construct a cryptographically signed message which could appear to come from a third party. When a victim processes a GnuPG message with a malformed detached signature, GnuPG ignores the malformed signature, processes and outputs the signed data, and exits with status 0, just as it would if the signature had been valid. In this case, GnuPG's exit status would not indicate that no signature verification had taken place. This issue would primarily be of concern when processing GnuPG results via an automated script. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0455 to this issue. Tavis Ormandy also discovered a bug in the way GnuPG verifies cryptographically signed data with inline signatures. It is possible for an attacker to inject unsigned data into a signed message in such a way that when a victim processes the message to recover the data, the unsigned data is output along with the signed data, gaining the appearance of having been signed. This issue is mitigated in the GnuPG shipped with Red Hat Enterprise Linux as the --ignore-crc-error option must be passed to the gpg executable for this attack to be successful. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0049 to this issue. Please note that neither of these issues affect the way RPM or up2date verify RPM package files, nor is RPM vulnerable to either of these issues. All users of GnuPG are advised to upgrade to this updated package, which contains backported patches to correct these issues. - Changelogs rh73: * Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED] 1.0.7-13.2.legacy - Added missing openldap-devel and zlib-devel to BuildPrereq * Wed Mar 15 2006 Donald Maner [EMAIL PROTECTED] 1.0.7-13.1.legacy - add patch from Werner Koch to error out on ambiguous armored signatures in message, with some more bits from Klaus Singvogel to handle argument parsing, backported (CVE-2006-0049, #185355) - add backport of patch from Werner Koch to fix the exit status when verifying signatures when no signature is provided (CVE-2006-0455, #185355) rh9: * Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED] 1.2.1-9.2.legacy - Added missing openldap to BuildPrereq * Wed Mar 15 2006 Donald Maner [EMAIL PROTECTED] 1.2.1-9.1.legacy - add patch from Werner Koch to error out on ambiguous armored signatures in message, with some more bits from Klaus Singvogel to handle argument parsing, backported (CVE-2006-0049, #185355) - add backport of patch from Werner Koch to fix the exit status when verifying signatures when no signature is provided (CVE-2006-0455, #185355) fc1: * Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED] 1.2.3-2.2.legacy - Added missing openldap-devel and zlib-devel to BuildPrereq * Wed Mar 15 2006 Donald Maner [EMAIL PROTECTED] 1.2.3-2.1.legacy - add patch from Werner Koch to error out on ambiguous armored signatures in message, with some more bits from Klaus Singvogel to handle argument parsing, backported (CVE-2006-0049, #185355) - add backport of patch from Werner Koch to fix the exit status when verifying signatures when no signature is provided (CVE-2006-0455, #185355) fc2: * Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED] 1.2.3-2.3.legacy - Added missing openldap-devel, bzip2-devel and zlib-devel to BuildPrereq * Wed Mar 15 2006 Donald Maner [EMAIL PROTECTED] 1.2.3-2.1.legacy - add patch from Werner Koch to error out on ambiguous armored signatures in message, with some more bits from Klaus Singvogel to handle