Home > Security > Advisories

Advisories

Mandriva Advisories

Package name gnupg
Date May 22nd, 2003
Advisory ID MDKSA-2003:061
Affected versions 8.2, 9.0, 9.1, MNF8.2, CS2.1
Synopsis Updated gnupg packages fix validation bug

Problem Description

A bug was discovered in GnuPG versions 1.2.1 and earlier. When gpg
evaluates trust values for different UIDs assigned to a key, it would
incorrectly associate the trust value of the UID with the highest
trust value with every other UID assigned to that key. This prevents
a warning message from being given when attempting to encrypt to an
invalid UID, but due to the bug, is accepted as valid.

Patches have been applied for version 1.0.7 and all users are
encouraged to upgrade.

Updated Packages

Mandrakelinux 8.2

 024e2dc599314591cee3334bd205039f  8.2/RPMS/gnupg-1.0.7-3.1mdk.i586.rpm
38a397a657d6f264db9679f2ed002ed7  8.2/SRPMS/gnupg-1.0.7-3.1mdk.src.rpm

Mandrakelinux 8.2/PPC

 3d74d4e08b065e36249c38033389d12e  ppc/8.2/RPMS/gnupg-1.0.7-3.1mdk.ppc.rpm
38a397a657d6f264db9679f2ed002ed7  ppc/8.2/SRPMS/gnupg-1.0.7-3.1mdk.src.rpm

Mandrakelinux 9.0

 1bfcc7589ddd74946cbaa7d2f6c7081f  9.0/RPMS/gnupg-1.0.7-3.1mdk.i586.rpm
38a397a657d6f264db9679f2ed002ed7  9.0/SRPMS/gnupg-1.0.7-3.1mdk.src.rpm

Mandrakelinux 9.1

 9d1b5490ff82a97b279ef9cb68b458db  9.1/RPMS/gnupg-1.2.2-1.1mdk.i586.rpm
d0e70c888b593188bb92828908d8be8e  9.1/SRPMS/gnupg-1.2.2-1.1mdk.src.rpm

Mandrakelinux 9.1/PPC

 e7e402899a26c4f02e5684df16e33b0e  ppc/9.1/RPMS/gnupg-1.2.2-1.1mdk.ppc.rpm
d0e70c888b593188bb92828908d8be8e  ppc/9.1/SRPMS/gnupg-1.2.2-1.1mdk.src.rpm

Multi Network Firewall 8.2

 024e2dc599314591cee3334bd205039f  mnf8.2/RPMS/gnupg-1.0.7-3.1mdk.i586.rpm
38a397a657d6f264db9679f2ed002ed7  mnf8.2/SRPMS/gnupg-1.0.7-3.1mdk.src.rpm

Corporate Server 2.1

 1bfcc7589ddd74946cbaa7d2f6c7081f  corporate/2.1/RPMS/gnupg-1.0.7-3.1mdk.i586.rpm
38a397a657d6f264db9679f2ed002ed7  corporate/2.1/SRPMS/gnupg-1.0.7-3.1mdk.src.rpm

Corporate Server 2.1/X86_64

 e7b8826c409a434e3ac2b7d22050498d  x86_64/corporate/2.1/RPMS/gnupg-1.0.7-3.1mdk.x86_64.rpm
38a397a657d6f264db9679f2ed002ed7  x86_64/corporate/2.1/SRPMS/gnupg-1.0.7-3.1mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0255
http://lists.gnupg.org/pipermail/gnupg-announce/2003q2/000268.html

Upgrade

To upgrade automatically, use MandrivaUpdate.


Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm
                

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.