CONECTIVA LINUX SECURITY ANNOUNCEMENT
| PACKAGE | : | gnupg |
| SUMMARY | : | GnuPG key validity vulnerability |
| DATE | : | 2003-07-11 16:02:00 |
| ID | : | CLA-2003:694 |
| RELEVANT RELEASES | : | 7.0, 8, 9 |
DESCRIPTION
GnuPG[1] is a OpenPGP-compliant tool for secure communication used
to, for example, sign emails, encrypt, decrypt and verify (signed)
data.
During the development of GnuPG 1.2.2, a bug has been found in
the key validation code. This bug causes keys with more than one
user ID to give all user IDs on the key the amount of validity
given to the most-valid key. In this situation, GnuPG would not
emit a warning when a low trust ID is used for encryption if that
key also contains a trusted enough ID.
Keys with only one ID are not affected by this problem.
For Conectiva Linux 7.0 and 8, the GnuPG package has been
updated to version 1.0.7 and includes a fix provided by the
authors[2]. GnuPG in Conectiva Linux 9 does not need a version
upgrade and includes the same patch.
SOLUTION
It is recommended that all GnuPG users upgrade their packages.
IMPORTANT: as part of the changes introduced in GnuPG versions
1.0.7 and later, public keys for which the user as a corresponding
secret key are no longer automatically considered trusted. To ease
the transition, a script called “convert-from-106” (part of
GnuPG-1.2.2) has been included in these packages. If executed, this
script will mark as trusted all public keys for which the current
user has the corresponding private keys.
REFERENCES
1.http://www.gnupg.org/
2.http://lists.gnupg.org/pipermail/gnupg-announce/2003q2/000268.html
3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0255
UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/gnupg-1.0.7-1U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/gnupg-1.0.7-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/gnupg-doc-1.0.7-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/gnupg-1.0.7-1U80_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/gnupg-1.0.7-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/gnupg-doc-1.0.7-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/gnupg-1.2.1-19780U90_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/gnupg-1.2.1-19780U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/gnupg-doc-1.2.1-19780U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/gnupg-keyserver-plugins-1.2.1-19780U90_1cl.i386.rpm
ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade
examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
All packages are signed with Conectiva’s GPG key. The key and
instructions on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can
be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
Copyright (c) 2003 Conectiva Inc.
http://www.conectiva.com