Je ne sais pas si ce bug était spécifique à Caldera.

From: Caldera Support Info <[EMAIL PROTECTED]>
Subject: Security Update: verification bug in gnupg
Date: 20 Oct 2000 08:56:27 +0200
Message-ID: <[EMAIL PROTECTED]>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
                   Caldera Systems, Inc.  Security Advisory

Subject:                verification bug in gnupg
Advisory number:        CSSA-2000-038.0
Issue date:             2000 October, 18
Cross reference:
______________________________________________________________________________


1. Problem Description

   There is a bug in the signature verification of GNUpg,
   the GNU replacement for PGP.

   Normally, signature verification with gnupg works as
   expected; gnupg properly detects when digitally signed
   data has been tampered with.

   However, these checks do not work properly if there are
   several sections with inline signatures within a single
   file. In this case, GNUpg does not always detect when some
   of the signed portions have been modified, and incorrectly
   claims that all signatures are valid.

2. Vulnerable Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux Desktop 2.3        not vulnerable

   OpenLinux eServer 2.3        not vulnerable
   and OpenLinux eBuilder

   OpenLinux eDesktop 2.4       All packages previous to
                                gnupg-1.0.4-2

3. Solution

   Workaround:

   None

4. OpenLinux Desktop 2.3

   not vulnerable

5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0

   not vulnerable

6. OpenLinux eDesktop 2.4

   6.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS

   6.2 Verification

       3892693d729a46acc587dcece5a59f7c  RPMS/gnupg-1.0.4-2.i386.rpm
       407234b6c1381ed0e4e22ae99b88ba3f  SRPMS/gnupg-1.0.4-2.src.rpm

   6.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

          rpm -Fhv gnupg-1.0.4-2.i386.rpm

7. References

   This and other Caldera security resources are located at:

   http://www.calderasystems.com/support/security/index.html

   This security fix closes Caldera's internal Problem Report 7996.

8. Disclaimer

   Caldera Systems, Inc. is not responsible for the misuse of any of the
   information we provide on this website and/or through our security
   advisories. Our advisories are a service to our customers intended to
   promote secure installation and use of Caldera OpenLinux.

9. Acknowledgements

   Caldera Systems wishes to thank Werner Koch, the author of GNUpg,
   for his work, and cooperation.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE57v3U18sy83A/qfwRAoQNAJ9FqaDcp6LBSrE/Gf4ptHZQLx776ACeIkXZ
nNgMWmAfY/3rbLWwRJPmjwo=
=qgtb
-----END PGP SIGNATURE-----
--
Pour poster une annonce: [EMAIL PROTECTED]

Répondre à