---

Conectiva Linux Security Announcement – gnupg

Date: Sat, 28 Oct 2000 15:19:02 -0200
From: secure@CONECTIVA.COM.BR
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: [CLSA-2000:334] Conectiva Linux Security Announcement –
gnupg


CONECTIVA LINUX SECURITY ANNOUNCEMENT



PACKAGE   : gnupg
SUMMARY   : Signature checking bug
DATE      : 2000-10-28 15:15:00
ID        : CLSA-2000:334
RELEVANT
RELEASES  : 4.0, 4.0es, 4.1, 4.2, 5.0, prg gráficos, ecommerce, 5.1

DESCRIPTION
gnupg up to and including version 1.0.3 has a flaw in the signature
checking code. This code does not work properly when there are
multiple signatures within the file. Gnupg can incorrectly report
some signatures to be valid even if that portion of the file has
been tampered with.

SOLUTION
All gnupg users should upgrade to the latest package.

DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES

ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/gnupg-1.0.4-1cl.src.rpm


ftp://atualizacoes.conectiva.com.br/4.0/i386/gnupg-1.0.4-1cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/gnupg-1.0.4-1cl.src.rpm


ftp://atualizacoes.conectiva.com.br/4.0es/i386/gnupg-1.0.4-1cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/gnupg-1.0.4-1cl.src.rpm


ftp://atualizacoes.conectiva.com.br/4.1/i386/gnupg-1.0.4-1cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/gnupg-1.0.4-1cl.src.rpm


ftp://atualizacoes.conectiva.com.br/4.2/i386/gnupg-1.0.4-1cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/gnupg-1.0.4-1cl.src.rpm


ftp://atualizacoes.conectiva.com.br/5.0/i386/gnupg-1.0.4-1cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/gnupg-1.0.4-1cl.src.rpm


ftp://atualizacoes.conectiva.com.br/5.1/i386/gnupg-1.0.4-1cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/gnupg-1.0.4-1cl.src.rpm


ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/gnupg-1.0.4-1cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/gnupg-1.0.4-1cl.src.rpm


ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/gnupg-1.0.4-1cl.i386.rpm


All packages are signed with Conectiva’s GPG key. The key can be
obtained at
http://www.conectiva.com.br/contato


All our advisories and generic update instructions can be viewed
at
http://www.conectiva.com.br/suporte/atualizacoes

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis