Gentoo: gnupg key validation bug
Posted by LinuxSecurity.com Team   
Gentoo As part of the development of GnuPG 1.2.2, a bug was discovered in the key validation code.

- - - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200305-04
- - - ---------------------------------------------------------------------

          PACKAGE : gnupg
          SUMMARY : key validity bug
             DATE : 2003-05-16 11:55 UTC
VERSIONS AFFECTED : =gnupg-1.2.2
              CVE : CAN-2003-0255

- - - ---------------------------------------------------------------------

- From advisory:

"As part of the development of GnuPG 1.2.2, a bug was discovered in the
key validation code.  This bug causes keys with more than one user ID
to give all user IDs on the key the amount of validity given to the
most-valid key."

Read the full advisory at 
http://marc.theaimsgroup.com/?l=bugtraq&m=105215110111174&w=2

SOLUTION

It is recommended that all Gentoo Linux users who are running
app-crypt/gnupg upgrade to gnupg-1.2.2 as follows:

emerge sync
emerge gnupg
emerge clean

- - - ---------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at  http://cvs.gentoo.org/~aliz
- - - ---------------------------------------------------------------------