-o

Date: Fri, 29 Dec 2000 15:42:16 -0200
To: security-announce@papaleguas.conectiva.com.br, lwn@lwn.net,
Subject: [CLA-2000:368] Conectiva Linux Security Announcement - gnupg
From: secure@conectiva.com.br

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : gnupg
SUMMARY   : Vulnerability with detached signatures and web of trust
DATE      : 2000-12-29 15:41:00
ID        : CLA-2000:368
RELEVANT
RELEASES  : 4.0, 4.0es, 4.1, 4.2, 5.0, prg gráficos, ecommerce, 5.1, 6.0

- -------------------------------------------------------------------------

DESCRIPTION
 Two vulnerabilities were fixed in this new version of the gnupg
 package:
 
 1) There was a problem with detached signatures checking. If the
 signature file was not a detached signature but just a signed file,
 gnupg would only check this signature file and not the file itself.
 Thus:
 
 gpg --verify signedfile.txt.asc myfile.tar.gz
 
 would only check signedfile.txt.asc and completely ignore
 myfile.tar.gz if signedfile.txt.asc were a signed file and not a
 detached signature, giving a dangerous false impression to the user
 that myfile.tar.gz was actually checked.
 
 2) gnupg would also import private keys from keyservers and with the
 --import command line option. Since the corresponding public key
 would then be immediately trusted, this could be used by an attacker
 to circumvent the web of trust.


SOLUTION
 All users should upgrade the gnupg package. Please note that there
 are some modifications to command-line options and that existing
 scripts which use gpg should be revised:
 
 1) To make the --verify option accept data from stdin, a dash sign
 ("-") has to be added:
 gpg --verify signature.asc - < mydata
 
 2) In order to import private keys, the option
 "--allow-secret-key-import" has to be added to the command-line.
 
 The updated package now has Conectiva's public GPG key. This key will
 be installed into root's public keyring upon installation of the
 updated gnupg package.


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/gnupg-1.0.4-5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/gnupg-1.0.4-5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/gnupg-1.0.4-5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/gnupg-1.0.4-5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/gnupg-1.0.4-5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/gnupg-1.0.4-5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/gnupg-1.0.4-5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/gnupg-1.0.4-5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/gnupg-1.0.4-5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/gnupg-1.0.4-5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/gnupg-1.0.4-5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/gnupg-1.0.4-5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/gnupg-1.0.4-5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/gnupg-1.0.4-5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/gnupg-1.0.4-5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/gnupg-1.0.4-5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/gnupg-1.0.4-5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/gnupg-1.0.4-5cl.i386.rpm


ADDITIONAL INSTRUCTIONS
 Users of Conectiva Linux version 6.0 or higher may use apt to perform 
 upgrades:
 - add the following line to /etc/apt/sources.list if it is not there yet
   (you may also use linuxconf to do this):

 rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://www.conectiva.com.br/suporte/atualizacoes

- -------------------------------------------------------------------------
subscribe: atualizacoes-anuncio-subscribe@papaleguas.conectiva.com.br
unsubscribe: atualizacoes-anuncio-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6TMz342jd0JmAcZARAu1VAKCxsk3gQ0sMjpyJWeq6DEJy1DVahwCgv3kr
zclNhyndotRiy5Wgj9zVAn4=
=haaU
-----END PGP SIGNATURE-----