OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /v/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 18-Feb-2006 00:07:35
Branch: HEAD Handle: 2006021723073500
Added files:
openpkg-web/security OpenPKG-SA-2006.001-gnupg.txt
Log:
release OpenPKG Security Advisory 2006.001 (gnupg)
Summary:
Revision Changes Path
1.1 +50 -0 openpkg-web/security/OpenPKG-SA-2006.001-gnupg.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2006.001-gnupg.txt
============================================================================
$ cvs diff -u -r0 -r1.1 OpenPKG-SA-2006.001-gnupg.txt
--- /dev/null 2006-02-18 00:07:35 +0100
+++ OpenPKG-SA-2006.001-gnupg.txt 2006-02-18 00:07:35 +0100
@@ -0,0 +1,50 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+________________________________________________________________________
+
+OpenPKG Security Advisory The OpenPKG Project
+http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
+OpenPKG-SA-2006.001 18-Feb-2006
+________________________________________________________________________
+
+Package: gnupg
+Vulnerability: false positive signature verification
+OpenPKG Specific: no
+
+Affected Releases: Affected Packages: Corrected Packages:
+OpenPKG CURRENT <= gnupg-1.4.2-20060111 >= gnupg-1.4.2.1-20060215
+OpenPKG 2.5 <= gnupg-1.4.2-2.5.0 >= gnupg-1.4.2-2.5.1
+OpenPKG 2.4 <= gnupg-1.4.1-2.4.0 >= gnupg-1.4.1-2.4.1
+OpenPKG 2.3 <= gnupg-1.4.0-2.3.0 >= gnupg-1.4.0-2.3.1
+
+Description:
+ According to a vendor security advisory [0] based on hints from the
+ Gentoo project, a false positive signature verification bug exists in
+ the GnuPG [1] security tool when unattended signature verification
+ (e.g. by scripts and mail programs) is performed via "gpgv" or "gpg
+ --verify". The Common Vulnerabilities and Exposures (CVE) project
+ assigned the id CVE-2006-0455 [2] to the problem.
+________________________________________________________________________
+
+References:
+ [0] http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000211.html
+ [1] http://www.gnupg.org/
+ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0455
+________________________________________________________________________
+
+For security reasons, this advisory was digitally signed with the
+OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the
+OpenPKG project which you can retrieve from http://pgp.openpkg.org and
+hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
+for details on how to verify the integrity of this advisory.
+________________________________________________________________________
+
+-----BEGIN PGP SIGNATURE-----
+Comment: OpenPKG <[EMAIL PROTECTED]>
+
+iD8DBQFD9lcPgHWT4GPEy58RAlogAKDgRKGDHGwiXZXEbpvDJUU/DuSv6gCg0xjn
+Vr5XdD2TcGh7aeydmoEYubQ=
+=y+Cq
+-----END PGP SIGNATURE-----
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [email protected]
