Gentoo Archives: gentoo-announce

From: Daniel Ahlberg <aliz@g.o>
To: gentoo-announce@g.o
Subject: GLSA: gnupg (200305-04)
Date: Fri, 16 May 2003 11:57:44
Message-Id: 20030516115600.8F8C333742@mail1.tamperd.net
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - ---------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT 200305-04
6 - - - ---------------------------------------------------------------------
7
8 PACKAGE : gnupg
9 SUMMARY : key validity bug
10 DATE : 2003-05-16 11:55 UTC
11 VERSIONS AFFECTED : <gnupg-1.2.2
12 FIXED VERSION : >=gnupg-1.2.2
13 CVE : CAN-2003-0255
14
15 - - - ---------------------------------------------------------------------
16
17 - From advisory:
18
19 "As part of the development of GnuPG 1.2.2, a bug was discovered in the
20 key validation code. This bug causes keys with more than one user ID
21 to give all user IDs on the key the amount of validity given to the
22 most-valid key."
23
24 Read the full advisory at
25 http://marc.theaimsgroup.com/?l=bugtraq&m=105215110111174&w=2
26
27 SOLUTION
28
29 It is recommended that all Gentoo Linux users who are running
30 app-crypt/gnupg upgrade to gnupg-1.2.2 as follows:
31
32 emerge sync
33 emerge gnupg
34 emerge clean
35
36 - - - ---------------------------------------------------------------------
37 aliz@g.o - GnuPG key is available at http://cvs.gentoo.org/~aliz
38 - - - ---------------------------------------------------------------------
39 -----BEGIN PGP SIGNATURE-----
40 Version: GnuPG v1.2.2 (GNU/Linux)
41
42 iD8DBQE+xNHNfT7nyhUpoZMRAv6xAJ9Sbj96yso0kD1RVAR/fA2tF5Ce8ACfXfDZ
43 e2eSXVOCMuGRNyE+d+Sr8Ck=
44 =StRY
45 -----END PGP SIGNATURE-----