-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0014
Package names: gnupg
Summary: Multiple vulnerabilities
Date: 2006-03-20
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Operating System - Enterprise Server 2
- --------------------------------------------------------------------------
Package description:
gnupg
GnuPG is a complete and free replacement for PGP. Because it does not
use IDEA it can be used without any restrictions. GnuPG is in compliance
with the OpenPGP specification (RFC2440).
Problem description:
gnupg < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- New Upstream.
- SECURITY Fix: Tavis Ormandy has reported a vulnerability in GnuPG,
which can be exploited by malicious people to bypass certain security
restrictions. The vulnerability is caused due to an error in the
detection of unsigned data which makes it possible to inject arbitrary
data into a signed message and affects the verification of non-detached
signatures and signatures embedded in encrypted messages.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2006-0049 to this issue.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from
<URI:http://http.trustix.org/pub/trustix/updates/>
<URI:ftp://ftp.trustix.org/pub/trustix/updates/>
About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.
Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.
Questions?
Check out our mailing lists:
<URI:http://www.trustix.org/support/>
Verification:
This advisory along with all Trustix packages are signed with the
TSL sign key.
This key is available from:
<URI:http://www.trustix.org/TSL-SIGN-KEY>
The advisory itself is available from the errata pages at
<URI:http://www.trustix.org/errata/trustix-2.2/> and
<URI:http://www.trustix.org/errata/trustix-3.0/>
or directly at
<URI:http://www.trustix.org/errata/2006/0014/>
MD5sums of the packages:
- --------------------------------------------------------------------------
bd1374efe2f4a5244ebb61c76976eea6 3.0/rpms/gnupg-1.4.2.2-1tr.i586.rpm
40a6e54f3e22a61d76f53ffc2beb5328 3.0/rpms/gnupg-utils-1.4.2.2-1tr.i586.rpm
ad1f96671a07bee2ce265154e91d82f8 2.2/rpms/gnupg-1.2.6-2tr.i586.rpm
01bab9eaaa2beb8430c87b0a6e1f06b8 2.2/rpms/gnupg-utils-1.2.6-2tr.i586.rpm
- --------------------------------------------------------------------------
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEHlrri8CEzsK9IksRAoUJAKCel97krvGk2mG7SE81ZQvPqWfI3QCePjo0
WSrpu0pBoLuZyE/ylfFfMBY=
=yp0J
-----END PGP SIGNATURE-----
_______________________________________________
tsl-announce mailing list
[email protected]
http://lists.trustix.org/mailman/listinfo/tsl-announce
_______________________________________________
tsl-discuss mailing list
[email protected]
http://lists.trustix.org/mailman/listinfo/tsl-discuss
