[Announce] GnuPG security fix
Werner Koch
wk at gnupg.org
Tue Oct 17 19:47:01 CEST 2000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello!
A bug in GnuPG's signature verification function has recently been
found:
If you have more than one signature (either cleartext or binary
ones) in a file (or pipe that to gpg), gpg does not compare each
signature but flags each document as good or bad depending on the
first document in the file. It is possible to use this bug to fake
signatures (it most cases it needs some social engineering but it is
not that complicated).
IT IS RECOMMENDED TO UPDATE TO THIS NEW 1.0.4 RELEASE WHICH
FIXES THE PROBLEM!
GnuPG version 1.0.4 is now available at the address below and should
show up on the mirrors within a day.
ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gnupg-1.0.4.tar.gz (1685k)
ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gnupg-1.0.4.tar.gz.sig
A diff against 1.0.3 is also available:
ftp://ftp.guug.de/pub/gcrypt/gnupg/gnupg-1.0.3-1.0.4.diff.gz (116k)
MD5 checksums of the above files are:
bef2267bfe9b74a00906a78db34437f9 gnupg-1.0.4.tar.gz
c79711f3c6b79acb733f79fe0f36a8c2 gnupg-1.0.3-1.0.4.diff.gz
So, what's new in this version:
* Fixed a serious bug which could lead to false signature
verification results when more than one signature is fed to
gpg. This is the primary reason for releasing this version.
* New utility gpgv which is a stripped down version of gpg to be
used to verify signatures against a list of trusted keys.
* Rijndael (AES) is now supported and listed with top preference.
* --with-colons now works with --print-md[s].
Some other bugs are also fixed.
Due to the need for this security update, we have not yet
accomplished to fix some build problems on HP/UX, AIX, Solaris and
probably some other OSes. GNU/Linux should work just fine.
Debian and RPM packages will be available really soon.
I apologize for this bug and any inconvenience you have with this.,
Werner
p.s.
Here is a list of sites mirroring ftp://ftp.gnupg.org/pub/gcrypt/
Please use them if you can; new releases should show up on these
servers within a day.
Australia
ftp://orcus.progsoc.uts.edu.au/pub/gnupg/
http://orcus.progsoc.uts.edu.au/pub/gnupg/
rsync://orcus.progsoc.uts.edu.au/pub/gnupg/
ftp://mirror.aarnet.edu.au/pub/gnupg/
http://mirror.aarnet.edu.au/pub/gnupg/
Austria
ftp://gd.tuwien.ac.at/privacy/gnupg/
Belgium
ftp://openbsd.rug.ac.be/pub/gcrypt/
Canada
ftp://crypto.yashy.com/pub/cryptography/gnupg/
Denmark
ftp://sunsite.auc.dk/pub/security/gcrypt/
Finland
ftp://ftp.jyu.fi/pub/crypt/gcrypt/
France
ftp://ftp.strasbourg.linuxfr.org/pub/gnupg/
Germany
ftp://ftp.franken.de/pub/crypt/mirror/ftp.guug.de/gcrypt/
ftp://ftp.freenet.de/pub/ftp.gnupg.org/pub/gcrypt/
ftp://ftp.gigabell.net/pub/gnupg
Greece
ftp://ftp.linux.gr/pub/crypto/gnupg/
Hungary
ftp://ftp.kfki.hu/pub/packages/security/gnupg/
Iceland
ftp://ftp.hi.is/pub/mirrors/gnupg/
Ireland
ftp://ftp.compsoc.com/pub/gnupg/
Italy
ftp://ftp.linux.it/pub/mirrors/gnupg/
ftp://ftp3.linux.it/pub/mirrors/gnupg/
Japan
ftp://pgp.iijlab.net/pub/gnupg/
ftp://ftp.ring.gr.jp/pub/net/gnupg/
http://www.ring.gr.jp/pub/net/gnupg/
Poland
ftp://sunsite.icm.edu.pl/pub/security/gnupg/
Spain
ftp://dimonieta.udg.es/mirror/gnupg
Sweden
ftp://ftp.stacken.kth.se/pub/crypto/gnupg/
ftp://ftp.sunet.se:/pub/security/gnupg/
Switzerland
ftp://sunsite.cnlab-switch.ch/mirror/gcrypt/
Taiwan
ftp://coda.nctu.edu.tw/Security/gcrypt
United Kingdom
ftp://ftp.net.lut.ac.uk/gcrypt/
ftp://ftp.mirror.ac.uk/sites/ftp.gnupg.org/pub/gcrypt/
http://www.mirror.ac.uk/sites/ftp.gnupg.org/pub/gcrypt/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE57JAybH7huGIcwBMRAo6RAJ4/pl5ylyJLerkrr2ePX5oodsxp1gCgvIvk
qQkJdXpPu4bebV/q3JW8qWs=
=o7O0
-----END PGP SIGNATURE-----
--
Werner Koch GnuPG key: 621CC013
OpenIT GmbH http://www.OpenIT.de
--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request at gnupg.org
More information about the Gnupg-announce
mailing list