v0.3.2 fixes the setuid hole
Werner Koch
wk at isil.d.shuttle.de
Thu Jul 9 17:17:11 CEST 1998
Hi,
Please get the new release from
ftp://ftp.guug.de/pub/gcrypt/gnupg-0.3.2.tar.gz
or the diff
ftp://ftp.guug.de/pub/gcrypt/diffs/gnupg-0.3.2.diff.gz
you may also use the mirrors.
Is was possible to become root by using --version and a malicious
extension module. I fixed this and added a sentinel just before the
dlopen() which checks that we are not setuid anymore.
Noteworthy changes in version 0.3.2
-----------------------------------
* Fixed some bugs when using --textmode (-seat)
* Now displays the trust status of a positive verified message.
* Keyrings are now scanned in the sequence they are added with
--[secret-]keyring. Note that the default keyring is implictly
added as the very first one unless --no-default-keyring is used.
* Fixed setuid and dlopen bug.
Please note, that I changed my keys; see README for details.
The reason is not security related but to allow other OpenPGP programs
to verify my signature.
Werner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 280 bytes
Desc: not available
Url : /pipermail/attachments/19980709/248b2466/attachment.bin
More information about the Gnupg-devel
mailing list