what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

debian.gpg.txt

debian.gpg.txt
Posted Dec 27, 2000
Site debian.org

Debian Security Advisory - There is a problem in the way gpg checks detached signatures which can lead to false positives. Also it was discovered that gpg would import secret keys from key-servers, circumventing the web of trust. GnuPG homepage here.

tags | web
systems | linux, debian
SHA-256 | 5d14e9537651bbc63698a8574da5f9f191cba27896ffb7f45b4cb6d6b2e12a34

debian.gpg.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----

- ------------------------------------------------------------------------
Debian Security Advisory DSA-010-1 security@debian.org
http://www.debian.org/security/ Wichert Akkerman
December 25, 2000
- ------------------------------------------------------------------------


Package : gnupg
Problem type : cheating with detached signatures,
circumvention of web of trust
Debian-specific: no

Two bugs in GnuPG have recently been found:

1. false positives when verifying detached signatures
- -----------------------------------------------------

There is a problem in the way gpg checks detached signatures which
can lead to false positives. Detached signature can be verified
with a command like this:

gpg --verify detached.sig < mydata

If someone replaced detached.sig with a signed text (ie not a
detached signature) and then modified mydata gpg would still
report a successfully verified signature.

To fix the way the --verify option works has been changes: it now
needs two options when verifying detached signatures: both the file
with the detached signature, and the file with the data to be
verified. Please note that this makes it incompatible with older
versions!

2. secret keys are silently imported
- ------------------------------------

Florian Weimer discovered that gpg would import secret keys from
key-servers. Since gpg considers public keys corresponding to
known secret keys to be ultimately trusted an attacked can use this
circumvent the web of trust.

To fix this a new option was added to to tell gpg it is allowed
to import secret keys: --allow-key-import.


Both these fixes are in version 1.0.4-1.1 and we recommend that you
upgrade your gnupg package immediately.

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.


Debian GNU/Linux 2.2 alias potato
- ---------------------------------

Potato was released for alpha, arm, i386, m68k, powerpc and sparc.

Source archives:
http://security.debian.org/dists/stable/updates/main/source/gnupg_1.0.4-1.1.diff.gz
MD5 checksum: 3e6a792f3bbb566650ea37a286feedf4
http://security.debian.org/dists/stable/updates/main/source/gnupg_1.0.4-1.1.dsc
MD5 checksum: 866059ad036f47c59bad9e5c3a0f0749
http://security.debian.org/dists/stable/updates/main/source/gnupg_1.0.4.orig.tar.gz
MD5 checksum: bef2267bfe9b74a00906a78db34437f9

Alpha architecture:
http://security.debian.org/dists/stable/updates/main/binary-alpha/gnupg_1.0.4-1.1_alpha.deb
MD5 checksum: 616e391a4eb5561bf32714e40bed38c5

ARM architecture:
http://security.debian.org/dists/stable/updates/main/binary-arm/gnupg_1.0.4-1.1_arm.deb
MD5 checksum: e496f7aed98098feef2869be81b774b7

Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386/gnupg_1.0.4-1.1_i386.deb
MD5 checksum: a6c0494c737250b0ccc7dc33056d8e7c

Motorola 680x0 architecture:
http://security.debian.org/dists/stable/updates/main/binary-m68k/gnupg_1.0.4-1.1_m68k.deb
MD5 checksum: a07cbf5bce2890fe85cfae4d796c5b0d

PowerPC architecture:
http://security.debian.org/dists/stable/updates/main/binary-powerpc/gnupg_1.0.4-1.1_powerpc.deb
MD5 checksum: e251364c24066cc88a3de11b4ba23275

Sun Sparc architecture:
http://security.debian.org/dists/stable/updates/main/binary-sparc/gnupg_1.0.4-1.1_sparc.deb
MD5 checksum: b15f4ad07949fb0fa24a221b656691ae

These files will be moved into
ftp://ftp.debian.org/debian/dists/stable/*/binary-$arch/ soon.

For not yet released architectures please refer to the appropriate
directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .

- --
- ----------------------------------------------------------------------------
apt-get: deb http://security.debian.org/ stable/updates main
dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQB1AwUBOkbONKjZR/ntlUftAQFtwQMAmtindulwccEccRrsVfs4YSef978f/I/I
5wCQbNMcBxFU9RiNhB+8ljCAwFvNLzc+R+gWUYOunDB2QDJFKeM8TU2wMSi11s3x
wbCoWN95RW3CG7taF4rBmBBg9QS43Qh5
=auis
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close