PGP Security - PGP ADK Security Advisory

Fri, 25 Aug 2000 18:16:20 -0700 

Hi All --

In case any of you use PGP 5.5 or newer and hadn't 
heard, check out:

http://www.pgp.com/other/advisories/adk.asp

I recommend GPG (GNU Privacy Guard):

http://www.gnupg.org

though, in all honesty, I don't know if it has
the same vulnerabilities.

Woody
Title: PGP Security - PGP ADK Security Advisory
PGP Security logo
Home icon
Home		 eStore icon
eStore		 Search icon
Search		 Download icon
Download Upgrades

PRODUCTS
SERVICES
SUPPORT
RESEARCH
PARTNERS
ABOUT US
 
PGP ADK Security Advisory

On the morning of Thursday, August 24 researchers in Germany discovered a bug in PGP versions 5.5 through 6.5.3 regarding how those versions handle unauthorized Additional Decryption Key additions to the unhashed/unsigned areas of PGP keys. We are currently working on this issue and consider it our top priority. A formal advisory from PGP Security and hotfixes for this issue will be made available as soon as possible. Additional information about this issue is available from CERT.

Below is a message from Phil Zimmermann regarding this issue (a PGP signed version is available here). Please refer back to this page in the future for the latest information regarding this issue.

We at NAI/PGP Security regret this important bug in the ADK feature that has been described on various Internet postings today (Thursday 24 Aug). We were made aware of this bug in PGP early this morning.

We are responding as fast as we can, and expect to have new 6.5.x releases out to fix this bug late Thursday evening. The MIT web site should have a new PGP 6.5.x freeware release early Friday, and the NAI/PGP web site should have patches out for the commercial releases at about the same time. As of this afternoon (Thursday), the PGP key server at PGP already filters out keys with the bogus ADK packets. We expect to have fixes available for the other key servers that run our software by tomorrow. We have also alerted the other vendors that make PGP key server software to the problem, and expect Highware/Veridis in Belgium to have their key servers filtering keys the same way by Friday.

The fixes that we are releasing for the PGP client software filters out the offending ADK packets. We already warn the users whenever they are about to use an ADK, even in the normal case.

We will have new information as soon as it becomes available at http://www.pgp.com.

Philip Zimmermann
[EMAIL PROTECTED]
19:00 PDT Thursday 24 Aug 2000







© 2000, Network Associates, Inc. and its affiliated Companies. All Rights Reserved. www.nai.com

Reply via email to