Date: Sat, 26 Aug 2000 09:59:20 +1000 From: Howard Lowndes <lannet@LANNET.COM.AU> Subject: Re: SERIOUS PGP BUG! To: BUGTRAQ@SECURITYFOCUS.COM Just to add to this: PGP-6.5.1i for UNIX is vulnerable -- Howard. ______________________________________________________ LANNet Computing Associates <http://www.lannet.com.au> On Thu, 24 Aug 2000, Phosgene wrote: > In case you have not heard there is a serious bug in some versions of PGP > related to additonal decryption keys (ADK). > For more information look at John Young's site which details some of this: > http://cryptome.org/pgp-badbug.htm > > Quoting from an email on the site: > > "Tested versions of PGP: > PGP-2.6.3ia UNIX (not vulnerable - doesn't support V4 signatures) > PGP-5.0i UNIX (not vulnerable) > PGP-5.5.3i WINDOWS (VULNERABLE) > PGP-6.5.1i WINDOWS (VULNERABLE) > GnuPG-1.0.1 UNIX (not vulnerable)" > > A paper detailing an aspect of the vulnerability is written by Ralf > Senderek: http://senderek.de/security/key-experiments.html and his student > Stephen Early <Stephen.Early@cl.cam.ac.uk> seems to have worked on > detailing this vulnerability as well on the ukcrypto mailing list. > > Phosgene >