Advisories

Mandriva Advisories

Package name	gnupg
Date	March 15th, 2005
Advisory ID	MDKSA-2005:057
Affected versions	9.2, 10.0, 10.1, CS2.1, CS3.0
Synopsis	Updated gnupg packages fix vulnerability

Problem Description

The OpenPGP protocol is vulnerable to a timing-attack in order to
gain plain text from cipher text. The timing difference appears as a
side effect of the so-called "quick scan" and is only exploitable on
systems that accept an arbitrary amount of cipher text for automatic
decryption.

The updated packages have been patched to disable the quick check for
all public key-encrypted messages and files.

Updated Packages

Mandrakelinux 9.2

 eea8f872b37b44e323121f8f06e055a5  9.2/RPMS/gnupg-1.2.3-3.2.92mdk.i586.rpm
4853be0ffaeb03b0bc78bd361342d5ed  9.2/SRPMS/gnupg-1.2.3-3.2.92mdk.src.rpm

Mandrakelinux 9.2/AMD64

 cd27f63d89d9850c25f3e36968dc120f  amd64/9.2/RPMS/gnupg-1.2.3-3.2.92mdk.amd64.rpm
4853be0ffaeb03b0bc78bd361342d5ed  amd64/9.2/SRPMS/gnupg-1.2.3-3.2.92mdk.src.rpm

Mandrakelinux 10.0

 e417191838d8efce573d72c1a23985f5  10.0/RPMS/gnupg-1.2.4-1.1.100mdk.i586.rpm
86351de46dfb9269582e3ff077c1cbfd  10.0/SRPMS/gnupg-1.2.4-1.1.100mdk.src.rpm

Mandrakelinux 10.0/AMD64

 df0f82dbd6e158e0ed5147cb39e16d8a  amd64/10.0/RPMS/gnupg-1.2.4-1.1.100mdk.amd64.rpm
86351de46dfb9269582e3ff077c1cbfd  amd64/10.0/SRPMS/gnupg-1.2.4-1.1.100mdk.src.rpm

Mandrakelinux 10.1

 e5c5e11c18532a11b3f17df2f4a8d0f0  10.1/RPMS/gnupg-1.2.4-1.1.101mdk.i586.rpm
6616d6b33665b0b61b3ba60ea4edb7b7  10.1/SRPMS/gnupg-1.2.4-1.1.101mdk.src.rpm

Mandrakelinux 10.1/X86_64

 0f912bf60b3aa5657f1d70ac1321877c  x86_64/10.1/RPMS/gnupg-1.2.4-1.1.101mdk.x86_64.rpm
6616d6b33665b0b61b3ba60ea4edb7b7  x86_64/10.1/SRPMS/gnupg-1.2.4-1.1.101mdk.src.rpm

Corporate Server 2.1

 9a94f8178b38d21436776157a8dc64fa  corporate/2.1/RPMS/gnupg-1.0.7-3.3.C21mdk.i586.rpm
7feb5108aab575ca5a236257cb6381bf  corporate/2.1/SRPMS/gnupg-1.0.7-3.3.C21mdk.src.rpm

Corporate Server 2.1/X86_64

 54fe5bb44107b7e3e61b36497a911bc3  x86_64/corporate/2.1/RPMS/gnupg-1.0.7-3.3.C21mdk.x86_64.rpm
7feb5108aab575ca5a236257cb6381bf  x86_64/corporate/2.1/SRPMS/gnupg-1.0.7-3.3.C21mdk.src.rpm

Corporate Server 3.0

 e95d4dd1787d1b371c554ac29c840ae4  corporate/3.0/RPMS/gnupg-1.2.4-1.1.C30mdk.i586.rpm
78db8f8ecd2709c17b0700b22d74f227  corporate/3.0/SRPMS/gnupg-1.2.4-1.1.C30mdk.src.rpm

Corporate Server 3.0/X86_64

 c9fcb2074b56249ccbb1456a4fffea4e  x86_64/corporate/3.0/RPMS/gnupg-1.2.4-1.1.C30mdk.x86_64.rpm
78db8f8ecd2709c17b0700b22d74f227  x86_64/corporate/3.0/SRPMS/gnupg-1.2.4-1.1.C30mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0366
http://www.kb.cert.org/vuls/id/303094
http://www.pgp.com/library/ctocorner/openpgp.html

Upgrade

To upgrade automatically, use MandrivaUpdate.

Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.

URL:

https://mandriva.com/security/advisories

Short link:

https://mandriva.com/content/view/full/1075

Intersites Menu

Mandriva

Tools

Top menu

Advisories

Footer