LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: September 26th, 2014
Linux Security Week: September 22nd, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Fedora Core 4 Update: gnupg-1.4.2.2-1 Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Fedora Tavis Ormandy discovered a flaw in the way GnuPG verifies cryptographically signed data with inline signatures. It is possible for an attacker to add unsigned text to a signed message in such a way so that when the signed text is extracted, the unsigned text is extracted as well, appearing as if it had been signed. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0049 to this issue.
---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2006-147
2006-03-13
---------------------------------------------------------------------

Product     : Fedora Core 4
Name        : gnupg
Version     : 1.4.2.2                      
Release     : 1                  
Summary     : A GNU utility for secure communication and data storage.
Description :
GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and
creating digital signatures. GnuPG has advanced key management
capabilities and is compliant with the proposed OpenPGP Internet
standard described in RFC2440. Since GnuPG doesn't use any patented
algorithm, it is not compatible with any version of PGP2 (PGP2.x uses
only IDEA for symmetric-key encryption, which is patented worldwide).

---------------------------------------------------------------------
Update Information:

Tavis Ormandy discovered a flaw in the way GnuPG verifies
cryptographically signed data with inline signatures. It is
possible for an attacker to add unsigned text to a signed
message in such a way so that when the signed text is
extracted, the unsigned text is extracted as well, appearing
as if it had been signed.  The Common Vulnerabilities and
Exposures project assigned the name CVE-2006-0049 to this issue.
---------------------------------------------------------------------
* Fri Mar 10 2006 Nalin Dahyabhai  - 1.4.2.2-1
- update to 1.4.2.2 to fix detection of unsigned data (CVE-2006-0049, #184557)

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

399347d86a34ec777de3fa46a8931774bf425679  SRPMS/gnupg-1.4.2.2-1.src.rpm
a42396ca1e3828f725c903f3a38a03096bea3e91  ppc/gnupg-1.4.2.2-1.ppc.rpm
d080a2ac636e7200970f7bca2cde0897d9949910  ppc/debug/gnupg-debuginfo-1.4.2.2-1.ppc.rpm
5f0cb70184126988f240c3487fe38ed37bae0df6  x86_64/gnupg-1.4.2.2-1.x86_64.rpm
bc935e3520882a6461ddb27318fa909ebd9d47b4  x86_64/debug/gnupg-debuginfo-1.4.2.2-1.x86_64.rpm
fa64b2b2645982e7abe49a2ca0ae85c899d65eff  i386/gnupg-1.4.2.2-1.i386.rpm
8c146199cc14d0dbfaebbc2c4b8fbeb17e9589f1  i386/debug/gnupg-debuginfo-1.4.2.2-1.i386.rpm

This update can be installed with the 'yum' update program.  Use 'yum update
package-name' at the command line.  For more information, refer to 'Managing
Software with yum,' available at http://fedora.redhat.com/docs/yum/.
---------------------------------------------------------------------

-- 
fedora-announce-list mailing list
fedora-announce-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-announce-list
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Shellshock makes Heartbleed look insignificant
Hacker Group Lizard Squad Takes Down Destiny, Call of Duty, FIFA And More
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.