Date: Sat, 28 Oct 2000 15:19:02 -0200
From: secure@CONECTIVA.COM.BR
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: [CLSA-2000:334] Conectiva Linux Security Announcement –
gnupg
CONECTIVA LINUX SECURITY ANNOUNCEMENT
PACKAGE : gnupg SUMMARY : Signature checking bug DATE : 2000-10-28 15:15:00 ID : CLSA-2000:334 RELEVANT RELEASES : 4.0, 4.0es, 4.1, 4.2, 5.0, prg gráficos, ecommerce, 5.1
DESCRIPTION
gnupg up to and including version 1.0.3 has a flaw in the signature
checking code. This code does not work properly when there are
multiple signatures within the file. Gnupg can incorrectly report
some signatures to be valid even if that portion of the file has
been tampered with.
SOLUTION
All gnupg users should upgrade to the latest package.
DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/gnupg-1.0.4-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/gnupg-1.0.4-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/gnupg-1.0.4-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/gnupg-1.0.4-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/gnupg-1.0.4-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/gnupg-1.0.4-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/gnupg-1.0.4-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/gnupg-1.0.4-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/gnupg-1.0.4-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/gnupg-1.0.4-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/gnupg-1.0.4-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/gnupg-1.0.4-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/gnupg-1.0.4-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/gnupg-1.0.4-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/gnupg-1.0.4-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/gnupg-1.0.4-1cl.i386.rpm
All packages are signed with Conectiva’s GPG key. The key can be
obtained at
http://www.conectiva.com.br/contato
All our advisories and generic update instructions can be viewed
at
http://www.conectiva.com.br/suporte/atualizacoes