[LWN Logo]
[Timeline]
Date:         Sat, 26 Aug 2000 09:59:20 +1000
From: Howard Lowndes <lannet@LANNET.COM.AU>
Subject:      Re: SERIOUS PGP BUG!
To: BUGTRAQ@SECURITYFOCUS.COM

Just to add to this:

PGP-6.5.1i for UNIX is vulnerable

--
Howard.
______________________________________________________
LANNet Computing Associates <http://www.lannet.com.au>

On Thu, 24 Aug 2000, Phosgene wrote:

> In case you have not heard there is a serious bug in some versions of PGP
> related to additonal decryption keys (ADK).
> For more information look at John Young's site which details some of this:
> http://cryptome.org/pgp-badbug.htm
>
> Quoting from an email on the site:
>
> "Tested versions of PGP:
> PGP-2.6.3ia UNIX   (not vulnerable - doesn't support V4 signatures)
> PGP-5.0i UNIX      (not vulnerable)
> PGP-5.5.3i WINDOWS (VULNERABLE)
> PGP-6.5.1i WINDOWS (VULNERABLE)
> GnuPG-1.0.1 UNIX   (not vulnerable)"
>
> A paper detailing an aspect of the vulnerability is written by Ralf
> Senderek: http://senderek.de/security/key-experiments.html and his student
> Stephen Early <Stephen.Early@cl.cam.ac.uk> seems to have worked on
> detailing this vulnerability as well on the ukcrypto mailing list.
>
> Phosgene
>