OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: redhat-announce-list-adminredhat.com
Date: Wed May 16 2001 - 20:35:53 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ---------------------------------------------------------------------
                       Red Hat, Inc. Red Hat Security Advisory

    Synopsis: Updated gnupg packages available
    Advisory ID: RHSA-2001:063-02
    Issue date: 2001-05-02
    Updated on: 2001-05-16
    Product: Red Hat Linux
    Keywords: gnupg klima rosa
    Cross references:
    Obsoletes: RHSA-2000:131
    ---------------------------------------------------------------------

    1. Topic:

    Updated gnupg packages are now available for Red Hat Linux 6.2, 7, and 7.1.
     These updates address a potential vulnerability which could allow an
    attacker to compute a user's secret key.

    2. Relevant releases/architectures:

    Red Hat Linux 6.2 - alpha, i386, sparc

    Red Hat Linux 7.0 - alpha, i386

    Red Hat Linux 7.1 - i386

    3. Problem description:

    By modifying an unsuspecting user's private keyring, an attacker can cause
    a user to generate incorrect signatures for data. If a user generates both
    a correct and an incorrect signature for the same data, the different
    signatures can be used to compute the user's secret key.

    4. Solution:

    Before applying this update, make sure all previously released errata
    relevant to your system have been applied.

    To update all RPMs for your particular architecture, run:

    rpm -Fvh [filenames]

    where [filenames] is a list of the RPMs you wish to upgrade. Only those
    RPMs which are currently installed will be updated. Those RPMs which are
    not installed but included in the list will not be updated. Note that you
    can also use wildcards (*.rpm) if your current directory *only* contains the
    desired RPMs.

    Please note that this update is also available via Red Hat Network. Many
    people find this an easier way to apply updates. To use Red Hat Network,
    launch the Red Hat Update Agent with the following command:

    up2date

    This will start an interactive process that will result in the appropriate
    RPMs being upgraded on your system.

    5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

    33473 - secret keyring compromise leading to secret key disclosure

    6. RPMs required:

    Red Hat Linux 6.2:

    SRPMS:
    ftp://updates.redhat.com/6.2/en/os/SRPMS/gnupg-1.0.5-0.6.x.src.rpm

    alpha:
    ftp://updates.redhat.com/6.2/en/os/alpha/gnupg-1.0.5-0.6.x.alpha.rpm

    i386:
    ftp://updates.redhat.com/6.2/en/os/i386/gnupg-1.0.5-0.6.x.i386.rpm

    sparc:
    ftp://updates.redhat.com/6.2/en/os/sparc/gnupg-1.0.5-0.6.x.sparc.rpm

    Red Hat Linux 7.0:

    SRPMS:
    ftp://updates.redhat.com/7.0/en/os/SRPMS/gnupg-1.0.5-1.src.rpm

    alpha:
    ftp://updates.redhat.com/7.0/en/os/alpha/gnupg-1.0.5-1.alpha.rpm

    i386:
    ftp://updates.redhat.com/7.0/en/os/i386/gnupg-1.0.5-1.i386.rpm

    Red Hat Linux 7.1:

    SRPMS:
    ftp://updates.redhat.com/7.1/en/os/SRPMS/gnupg-1.0.5-1.src.rpm

    i386:
    ftp://updates.redhat.com/7.1/en/os/i386/gnupg-1.0.5-1.i386.rpm

    7. Verification:

    MD5 sum Package Name
    --------------------------------------------------------------------------
    89938a0670ba2588cf0c109c05b2a604 6.2/en/os/SRPMS/gnupg-1.0.5-0.6.x.src.rpm
    338782bd895ab81fb7e84d36005fa95e 6.2/en/os/alpha/gnupg-1.0.5-0.6.x.alpha.rpm
    3ff455f2312c083994ab7e9c7369e325 6.2/en/os/i386/gnupg-1.0.5-0.6.x.i386.rpm
    bae79560d0a6cde8746492d15a57ec19 6.2/en/os/sparc/gnupg-1.0.5-0.6.x.sparc.rpm
    3a7fed8e807ccb992ce0e05d0a7bbdff 7.0/en/os/SRPMS/gnupg-1.0.5-1.src.rpm
    3b84f8fcdd97846ec3435bcdc0a8e4c5 7.0/en/os/alpha/gnupg-1.0.5-1.alpha.rpm
    c5633eb35d1dc7c753da7ea850eba864 7.0/en/os/i386/gnupg-1.0.5-1.i386.rpm
    3a7fed8e807ccb992ce0e05d0a7bbdff 7.1/en/os/SRPMS/gnupg-1.0.5-1.src.rpm
    c5633eb35d1dc7c753da7ea850eba864 7.1/en/os/i386/gnupg-1.0.5-1.i386.rpm

    These packages are GPG signed by Red Hat, Inc. for security. Our key
    is available at:
        http://www.redhat.com/corp/contact.html

    You can verify each package with the following command:
        rpm --checksig <filename>

    If you only wish to verify that each package has not been corrupted or
    tampered with, examine only the md5sum with the following command:
        rpm --checksig --nogpg <filename>

    8. References:

    http://lists.gnupg.org/pipermail/gnupg-announce/2001-April/000238.html
    http://www.i.cz/en/pdf/openPGP_attack_ENGvktr.pdf

    Copyright(c) 2000, 2001 Red Hat, Inc.

    _______________________________________________
    Redhat-watch-list mailing list
    To unsubscribe, visit: https://listman.redhat.com/mailman/listinfo/redhat-watch-list

    _______________________________________________
    Redhat-announce-list mailing list
    Redhat-announce-listredhat.com
    https://listman.redhat.com/mailman/listinfo/redhat-announce-list