Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -3 articles for you...
172
security advisorymoderateubuntuUbuntu 20.04 LTS USN-5153-1 Moderate: LibreOffice Signature Flaw
LibreOffice could incorrectly validate document signatures.. =========================================================================Ubuntu Security Notice USN-5153-1 November 22, 2021 libreoffice vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: LibreOffice could incorrectly validate document signatures. Software Description: - libreoffice: Office productivity suite Details: It was discovered that LibreOffice incorrectly handled digital signatures. An attacker could possibly use this issue to create a specially crafted document that would display a validly signed indicator, contrary to expectations. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: libreoffice-core 1:6.4.7-0ubuntu0.20.04.2 In general, a standard system update will make all the necessary changes. References: CVE-2021-25633, CVE-2021-25634 Package Information: https://launchpad.net/ubuntu/+source/libreoffice/1:6.4.7-0ubuntu0.20.04.2 . Security issues in the LibreOffice suite for Ubuntu 20.04 LTS may result in misleading notifications regarding signature authenticity. It is advisable to apply available updates.. LibreOffice, Ubuntu Vulnerabilities, Document Signatures. . Severity: Important. LinuxSecurity.com Team
Nov 22, 2021
•Important
Ubuntu
203
security advisorydenial of serviceupdateMageia 8: 2021-0426 Moderate: Tor Denial Of Service Issue
Henry de Valence reported a flaw in the signature verification code in Tor, a connection-based low-latency anonymous communication system. A remote attacker can take advantage of this flaw to cause an assertion failure, resulting in denial of service. . MGASA-2021-0426 - Updated tor packages fix security vulnerability Publication date: 23 Sep 2021 URL: https://advisories.mageia.org/MGASA-2021-0426.html Type: security Affected Mageia releases: 8 CVE: CVE-2021-38385 Henry de Valence reported a flaw in the signature verification code in Tor, a connection-based low-latency anonymous communication system. A remote attacker can take advantage of this flaw to cause an assertion failure, resulting in denial of service. References: - https://bugs.mageia.org/show_bug.cgi?id=29377 - https://blog.torproject.org/new-stable-releases-tor-03516-04510-and-0467/ - - https://www.cve.org/CVERecord?id=CVE-2021-38385 SRPMS: - 8/core/tor-0.3.5.16-1.mga8 . Mageia has released updates for its tor packages to mitigate a significant vulnerability that leads to potential denial of service attacks, which was disclosed on September 23, 2021.. Mageia Security Advisory,Tor Update,Denial of Service Issue,Signature Verification Flaw. . LinuxSecurity.com Team
Sep 23, 2021
Mageia
200
security advisorymoderatememory leakScientific Linux SL6.x SLSA-2015:2617-1 Moderate: OpenSSL Client Crash
Moderate: openssl security update. Date: Tue, 15 Dec 2015 21:30:59 +0000 Reply-To: scientific-linux-users@ Sender: Security Errata for Scientific Linux From: Connie Sieh Subject: Security ERRATA Moderate: openssl on SL6.x i386/x86_64 MIME-Version: 1.0 Message-ID: Synopsis: Moderate: openssl security update Advisory ID: SLSA-2015:2617-1 Issue Date: 2015-12-14 CVE Numbers: CVE-2015-3194 CVE-2015-3195 CVE-2015-3196 -- A NULL pointer derefernce flaw was found in the way OpenSSL verified signatures using the RSA PSS algorithm. A remote attacked could possibly use this flaw to crash a TLS/SSL client using OpenSSL, or a TLS/SSL server using OpenSSL if it enabled client authentication. (CVE-2015-3194) A memory leak vulnerability was found in the way OpenSSL parsed PKCS#7 and CMS data. A remote attacker could use this flaw to cause an application that parses PKCS#7 or CMS data from untrusted sources to use an excessive amount of memory and possibly crash. (CVE-2015-3195) A race condition flaw, leading to a double free, was found in the way OpenSSL handled pre-shared key (PSK) identify hints. A remote attacker could use this flaw to crash a multi-threaded SSL/TLS client using OpenSSL. (CVE-2015-3196) For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. -- SL6 x86_64 openssl-1.0.1e-42.el6_7.1.i686.rpm openssl-1.0.1e-42.el6_7.1.x86_64.rpm openssl-debuginfo-1.0.1e-42.el6_7.1.i686.rpm openssl-debuginfo-1.0.1e-42.el6_7.1.x86_64.rpm openssl-devel-1.0.1e-42.el6_7.1.i686.rpm openssl-devel-1.0.1e-42.el6_7.1.x86_64.rpm openssl-perl-1.0.1e-42.el6_7.1.x86_64.rpm openssl-static-1.0.1e-42.el6_7.1.x86_64.rpm i386 openssl-1.0.1e-42.el6_7.1.i686.rpm openssl-debuginfo-1.0.1e-42.el6_7.1.i686.rpm openssl-devel-1.0.1e-42.el6_7.1.i686.rpm openssl-perl-1.0.1e-42.el6_7.1.i686.rpm openssl-static-1.0.1e-42.el6_7.1.i686.rpm - Scientific Linux Development Team . Significant OpenSSL patch issued for Scientific Linux SL6.x remedying majorvulnerabilities. Restart services to ensure implementation.. OpenSSL Security, Scientific Linux Update, Moderate Security Patch. . LinuxSecurity.com Team
Dec 15, 2015
Scientific Linux
172
security advisorycode executionUbuntuUbuntu 10.04 LTS: USN-1055-1 Critical OpenJDK Signature Flaw
It was discovered that IcedTea for Java did not properly verify signatures when handling multiply signed or partially signed JAR files, allowing an attacker to cause code to execute that appeared to come from a verified source. (CVE-2011-0025) [More...]. ==========================================================Ubuntu Security Notice USN-1055-1 February 01, 2011 openjdk-6, openjdk-6b18 vulnerabilities CVE-2010-4351, CVE-2011-0025 ========================================================== A security issue affects the following Ubuntu releases: Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: icedtea6-plugin 6b20-1.9.5-0ubuntu1~9.10.1 Ubuntu 10.04 LTS: icedtea6-plugin 6b20-1.9.5-0ubuntu1~10.04.1 Ubuntu 10.10: icedtea6-plugin 6b20-1.9.5-0ubuntu1 After a standard system update you need to restart any Java services, applications or applets to make all the necessary changes. Details follow: It was discovered that IcedTea for Java did not properly verify signatures when handling multiply signed or partially signed JAR files, allowing an attacker to cause code to execute that appeared to come from a verified source. (CVE-2011-0025) USN 1052-1 fixed a vulnerability in OpenJDK for Ubuntu 9.10 and Ubuntu 10.04 LTS on all architectures, and Ubuntu 10.10 for all architectures except for the armel (ARM) architecture. This update provides the corresponding update for Ubuntu 10.10 on the armel (ARM) architecture. Original advisory details: It was discovered that the JNLP SecurityManager in IcedTea for Java OpenJDK in some instances failed to properly apply the intended scurity policy in its checkPermission method. This could allow an attacker to execute code with privileges that should have been prevented.(CVE-2010-4351) Updated packages for Ubuntu 9.10: Source archives: Size/MD5: 130663 07167b8caf223fe920ac0c361e42344c Size/MD5: 3018 d3cc6e1842be3094f39ef33e7de3f353 Size/MD5: 73242981 a46692c197b9d63625a0593f0f5261a1 Size/MD5: 131802 6e88eb789ee0d06c18b07194af10bb93 Size/MD5: 2997 595fc33270e578ea4b81d23e557c53ec Size/MD5: 71411043 bd54d036357114075c6d4cfb162cb3ad Architecture independent packages: Size/MD5: 20569646 0263c3295e00ffd691559e93a926b89c Size/MD5: 6211712 8cf32f132d7249d3b8c293502eb64bac Size/MD5: 26919048 66c7073fd00bdace7d5f515d875fbcbb amd64 architecture (Athlon64, Opteron, EM64T Xeon): Size/MD5: 436014 2034a505f2c4e922b445256bd5f80f49 Size/MD5: 83640 3683906aaf32d462fa577675c441acac Size/MD5: 119563714 4660ba7c5fb8aac316377c576459a638 Size/MD5: 2385194 0ea219022e6aea6c1159897d9e34088f Size/MD5: 11087968 357e95538a652ff16a499bdef84ffba5 Size/MD5: 25600282 746ff952e9c2f2bc4f0f64b07014f409 Size/MD5: 270666 68ac2c4181b549c79eedca8794650509 Size/MD5: 5569254 c0077d670243fea709d4f199dda088ca i386 architecture (x86 compatible Intel/AMD): Size/MD5: 418096 c0141822eb47c8c6e06f9af23feef5c5 Size/MD5: 79234 8fe9ef03b9f35e52de8eb511f4e8b351 Size/MD5: 172937158 2bff76e2c638d5e901c81d11d4a2f742 Size/MD5: 2359054 84866ae7005e7bf7690365e2e6a97f6d Size/MD5: 11078062 831332cccf805cded7f87fef3acffd62 Size/MD5: 27416614 585c7631a061b70308275dccc6f88beb Size/MD5: 255898 1f8861dddfa2a12615d430f555ff6a2a Size/MD5: 5065908 d2d4f9e1f3eb25b041a5d8d20f2bafdc armel architecture (ARM Architecture): Size/MD5: 370544 7ac9b2f6654f8ed4c22af43d3cb1f196 Size/MD5: 75722 4ec1c942786d2320978ee4ba9b5ce39b Size/MD5: 84865932 a7427134161ba5f5a67b1cc5207cdef2 Size/MD5: 1543030 2793d682bc50d814bb2cfae0536fb658 Size/MD5: 9111184 2f44a1d000994c887864a2226fa9ab03 Size/MD5: 29699956 0b3e36d03c7274de90d85df81eea4642 Size/MD5: 255472 8604ce64204f8b093045e8fa0ddaf429 Size/MD5: 4829218 d29ac1eb4ae4f61e24d21d6b3e774f2c lpia architecture (Low Power Intel Architecture): Size/MD5: 421918 60b982dbad33961f268850d3a1570121 Size/MD5: 81886 582799620b965b23b98782aa6b817784 Size/MD5: 173092778 eeb9c9a0975fff57e79af148959ef951 Size/MD5: 2348226 abac188c5fdd7b16e59021795328e388 Size/MD5: 10854010 d46469e4a0b30b664e7d76aed8d2a2d4 Size/MD5: 27472744 7cac2be8f882e3f8972d2ae8de4346c4 Size/MD5: 251924 46789f33a116717c035e0494d9123746 Size/MD5: 5056662 e9cab7f8ff4f8557ec354fcfe064cbf9 powerpc architecture (Apple Macintosh G3/G4/G5): Size/MD5: 447846 57f7bde6423b881f5c9b6b854805068e Size/MD5: 82936 fd89da745cf94b5f621d381cf3ac62ae Size/MD5: 103589468 4535c791fb31dcb30860d2fa8b930d7d Size/MD5: 2365432 332cb4807360bce84a081f7c30ba7e34 Size/MD5: 8794604 999261245213227cf9a0e7a67805eb08 Size/MD5: 23939918 8052f0eaba58e09a0322214bd6843799 Size/MD5: 275120 4f501d44f7670786c6198e7e5e260e8d Size/MD5: 4885644 dda65b396c0ba1c9359eca7eba34c6a7 sparc architecture (Sun SPARC/UltraSPARC): Size/MD5: 79624 84e39fa6449346c08a18a2e00e8c7b55 Size/MD5: 119175958 f0a49dced0b3f12587cddf06b67f31b4 Size/MD5: 2364788 5f5d845ba1fe16e729df1625d424a396 Size/MD5: 10833222 2c4adc800d965b1f309ac12204d4813f Size/MD5: 27295668 c28ce5653bee2fec182370c91f92ce43 Size/MD5: 256824 f7b5dc979cfc27d0f3f28340a6afdddb Updated packages for Ubuntu 10.04 LTS: Source archives: Size/MD5: 130653 4250574bc50a42af16707919a2c09791 Size/MD5: 307740a56a96db71060b96816204590f877f Size/MD5: 73242981 a46692c197b9d63625a0593f0f5261a1 Size/MD5: 131798 93e1c17619a492d6d98d4c93d088a9f3 Size/MD5: 3056 1df0b04c982b3bf22c1dbe70fe59ea32 Size/MD5: 71411043 bd54d036357114075c6d4cfb162cb3ad Architecture independent packages: Size/MD5: 19979664 2b95fe28f2136a5394648b619300824b Size/MD5: 6155850 ef8366a2a9a0867cd531e3dd5a7ef92a Size/MD5: 26858938 a90e2edef3fa37f49daa82fd92593c23 amd64 architecture (Athlon64, Opteron, EM64T Xeon): Size/MD5: 431074 3e50491a84259f5edaa622f9c05f7f8c Size/MD5: 84126 ce3e9b4cc3e6bb3964dfcfca6fa73fba Size/MD5: 119261780 69383042a5bee649035dded1de7ae47c Size/MD5: 2364506 94bc6c9156e97a1036841ee1175a2814 Size/MD5: 10865770 52ff5af54da76d8abedfdac3e9f3a702 Size/MD5: 25622574 019c4cb665e4f44f0f2f6f822f54f6c4 Size/MD5: 270644 d441fd3a49ab376cdd4758720456b6fb Size/MD5: 2241004 ecd39a0cac4615acdb3ed5f2c8047b87 i386 architecture (x86 compatible Intel/AMD): Size/MD5: 415050 c2bed7d245921db1e01c5dc256a8455c Size/MD5: 79608 d6bd3a3e64a8315591d7ef9e8bed071a Size/MD5: 172626028 56b1dbbc185b452ec4684c574f78b5a9 Size/MD5: 2351292 33026e2e70a4f60a7059dd97e8291526 Size/MD5: 10861822 09d8359fb3120858cc8b253cb15fbfe9 Size/MD5: 27449440 3fb4c45554543b094e7d9c4022ca3723 Size/MD5: 255880 a374fc32fab614cecafbbd9eba325e80 Size/MD5: 1924642 a4ae4868248ece9b2189e4f959c26562 armel architecture (ARM Architecture): Size/MD5: 346348 eec80fa6f8d42acbe5c7e9cedd06a9dd Size/MD5: 73844 385da24b16e9eb32bf122b8c0c4490a0 Size/MD5: 41164556 20315ff718c4716aec70c4aacc452155 Size/MD5: 1528746 cada79c5cf6af17cea69a303f626bcd0 Size/MD5: 9100456 c146812c22adeb933b95e90accbd8a84 Size/MD5: 29493160eccd808680771c0d9539037f0fee854f Size/MD5: 245326 35b9b8d4341e8b35fcf597366dd0dece powerpc architecture (Apple Macintosh G3/G4/G5): Size/MD5: 445258 96272182cf8ee75a20db7a9b6856b7af Size/MD5: 83634 d8661c9bf1493ed6a9bd19ce2d15aa79 Size/MD5: 103315722 a329acc7a98aa95b79fe1124010fb16e Size/MD5: 2365524 af78e46c00b46e02575a7125c79716b9 Size/MD5: 8798846 79eccba98411a7a54cfac99215386a69 Size/MD5: 23945544 77dea4b31222a9016bbf9e9d86bc33c4 Size/MD5: 275052 803eac93ad819a9ae31b567dabe549c3 Size/MD5: 2052776 44d1860ca58421b5169bd0b4a8993a9d sparc architecture (Sun SPARC/UltraSPARC): Size/MD5: 77770 ead7daf2c17881f6b39e2c9a82e9367c Size/MD5: 119149298 cf83e170d0f3b6e11cbf10132f2d050c Size/MD5: 2365960 cc1c774bcd0e8f98a1d285770ae4c927 Size/MD5: 10888370 fa5aa1c149df190e0ebb97d9289f56ce Size/MD5: 27222494 6e30b3ad57e76d67e936ad56a46d0a8d Size/MD5: 257382 a79aab3812e968abe4c0824c1146173f Updated packages for Ubuntu 10.10: Source archives: Size/MD5: 133456 976146aaa409e498d5addf8a241f573d Size/MD5: 3004 6d022956f9cea371fbf2d9765ca4f040 Size/MD5: 73242981 a46692c197b9d63625a0593f0f5261a1 Size/MD5: 134008 8fbdae65e6e519e9a831778b074a9952 Size/MD5: 2995 e131f7ebfa161d10f70a8b436a38f374 Size/MD5: 71411043 bd54d036357114075c6d4cfb162cb3ad Architecture independent packages: Size/MD5: 19977298 2ccad59d057cb4419dbebf48b4ff67fd Size/MD5: 6155616 d716162e8cf6d5118ce1341e9c1e5be9 Size/MD5: 26858902 732bc0cc09aec245d11621c640272bdb amd64 architecture (Athlon64, Opteron, EM64T Xeon): Size/MD5: 433260 169a9df6ecc86117d3097bf138e14ce7 Size/MD5: 83386 edb225c4df6678209cc7ee788bbf519f Size/MD5: 119321318 16318a9a971f46bdebc31ba39820ee50 Size/MD5: 23801365e0ee63978bf2c820713c464124ff604 Size/MD5: 11085698 c1a5a9cbe650581246308df73a7da6f7 Size/MD5: 25605350 9b9925e2a9aa812a9a874c02d541fa2e Size/MD5: 266966 a40154ae4665ba835052633157172cfb Size/MD5: 2242486 387b2e80b57e70220cb210a0512654d6 i386 architecture (x86 compatible Intel/AMD): Size/MD5: 416138 97dde39884b356a51137bf7c687c0ffe Size/MD5: 78706 d2e6ac9590739d9ad1e9e5b057deaf6e Size/MD5: 172665522 b8821c7db8364dab48f5f265bcd4ba8b Size/MD5: 2348308 40e5394c73299ff41564b9cbbae8f0f7 Size/MD5: 10856962 2cf7749b00e3c43a7ece05bc538c100a Size/MD5: 27433792 b8ac656156b0a95f7276114697dd5c31 Size/MD5: 251308 f93c8309886bf4f7d2976046db3feb6b Size/MD5: 1922642 92f1697157a2a972cdc1a8b52e13bf59 armel architecture (ARM Architecture): Size/MD5: 376854 c33095d01084b54d2640d8151fa613c5 Size/MD5: 78308 97134fdfee5d81dc060703bb39b1fb91 Size/MD5: 85427758 d9390442c09f18cb8cdcaff08590540a Size/MD5: 1544594 fdecd521952176cca16e79fe22230f46 Size/MD5: 9129948 3e6dfdc2c08d922aec22a4763efed391 Size/MD5: 30066646 138f631ff444aa1480e41e7a89f1086d Size/MD5: 266356 2dbbb74cd81c3480f3d2c3efda8938ee Size/MD5: 1937244 d3528603fb40a730ea9a662c088e15ee powerpc architecture (Apple Macintosh G3/G4/G5): Size/MD5: 444520 04f8e4b8b91f55f2ef9883194769f42e Size/MD5: 82774 34dae3adc1d09655e3deb9da1dbcd50c Size/MD5: 103361572 ada4b0b7a9abbbbf29fe9caa2c47bc8d Size/MD5: 2363378 3a7b763b526db96cad9eb48e9fcfaddf Size/MD5: 8792836 b36a1676f0e3da23b8ca9d3a3be8bbe4 Size/MD5: 23929684 f7a6bf07a9058158ade47e820fdd3ca5 Size/MD5: 270452 a9914789c79be1910b64109109fb3ef7 Size/MD5: 2052602 bb5f0f52c1d3906fae956725fb1f1cc4 . Essential OpenJDK patches in Ubuntu address authentication vulnerabilities to avertunauthorized code execution. Maintain your safety!. OpenJDK Security, Ubuntu Vulnerabilities, Java Signature Check, IcedTea Update. . Severity: Critical. LinuxSecurity.com Team
Feb 01, 2011
•Critical
Ubuntu
89
security advisoryfedoracritical patchFedora 10: 2009-0419 Critical: TrustedQSL Signature Issue Fix
The TrustedQSL library incorrectly checked the result after calling the EVP_VerifyFinal function, allowing a malformed signature to be treated as a good signature rather than as an error. Package includes a patch to fix EVP_VerifyFinal result check.. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2009-0419 2009-01-14 23:36:02 --------------------------------------------------------------------------------Name : tqsllib Product : Fedora 10 Version : 2.0 Release : 5.fc10 URL : https://sourceforge.net/projects/trustedqsl/ Summary : The TrustedQSL library Description : The TrustedQSL library is used for generating digitally signed QSO records (records of Amateur Radio contacts). This package contains the library and configuration files needed to run TrustedQSL applications. --------------------------------------------------------------------------------Update Information: The TrustedQSL library incorrectly checked the result after calling the EVP_VerifyFinal function, allowing a malformed signature to be treated as a good signature rather than as an error. Package includes a patch to fix EVP_VerifyFinal result check. --------------------------------------------------------------------------------ChangeLog: * Mon Jan 12 2009 Lucian Langa - 2.0-5 - modify patch0 to include fix for #479650 (CVE-2008-5077 related) --------------------------------------------------------------------------------References: [ 1 ] Bug #479650 - tqsllib: OpenSSL incorrect checks for malformed signatures https://bugzilla.redhat.com/show_bug.cgi?id=479650 --------------------------------------------------------------------------------This update can be installed with the "yum" update program. Use su -c 'yum update tqsllib' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More detailson the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ Fedora-package-announce mailing list
Jan 14, 2009
•Critical
Fedora
98
security advisorygnupgRed Hat Enterprise LinuxRed Hat Linux 2.1: RHSA-2006:0266-01 Important: GnuPG Signature Flaws
An updated GnuPG package that fixes signature verification flaws as well as minor bugs is now available. This update has been rated as having important security impact by the Red Hat Security Response Team.. - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Important: gnupg security update Advisory ID: RHSA-2006:0266-01 Advisory URL: https://access.redhat.com/errata/RHSA-2006:0266.html Issue date: 2006-03-15 Updated on: 2006-03-15 Product: Red Hat Enterprise Linux CVE Names: CVE-2006-0049 CVE-2006-0455 - ---------------------------------------------------------------------1. Summary: An updated GnuPG package that fixes signature verification flaws as well as minor bugs is now available. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Problem description: GnuPG is a utility for encrypting data and creating digital signatures. Tavis Ormandy discovered a bug in the way GnuPG verifies cryptographically signed data with detached signatures. It is possible for an attacker to construct a cryptographically signed message which could appear to come from a third party. When a victim processes a GnuPG message with a malformed detached signature, GnuPG ignores the malformed signature, processes and outputs the signed data, and exits with status 0, just as it would if the signature had been valid. In this case, GnuPG's exit status would not indicate that no signature verification had taken place. This issue would primarily be of concern when processing GnuPG results via an automated script. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0455 to this issue. Tavis Ormandy also discovered a bug in the way GnuPG verifies cryptographically signed data with inline signatures. It is possible for an attacker to inject unsigned data into a signed message in such a way that when a victim processes the message to recover the data, the unsigned data is output along with the signed data, gaining the appearance of having been signed. This issue is mitigated in the GnuPG shipped with Red Hat Enterprise Linux as the --ignore-crc-error option must be passed to the gpg executable for this attack to be successful. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0049 to this issue. Please note that neither of these issues affect the way RPM or up2date verify RPM package files, nor is RPM vulnerable to either of these issues. All users of GnuPG are advised to upgrade to this updated package, which contains backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. Bug IDs fixed (http://bugzilla.redhat.com/): 167392 - initial gpg run doesn't create .gnupg/secring.gpg 179506 - RHEL3, gnupg-1.2.1-10, gpg: Creates corrupt files (probably2GB problem) 183484 - CVE-2006-0455 gpg will quietly exit when attempting to verify a malformed message 184556 - CVE-2006-0049 Gnupg incorrect malformed message verification 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: d15956e38c9d217ac93f5ed0cd5ce4f3 gnupg-1.0.7-16.src.rpm i386: cfcc3babbfc6f972dabbbac06e685f7d gnupg-1.0.7-16.i386.rpm ia64: 8c1dddef36a9e45e9ae1444b82e28bea gnupg-1.0.7-16.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: d15956e38c9d217ac93f5ed0cd5ce4f3 gnupg-1.0.7-16.src.rpm ia64: 8c1dddef36a9e45e9ae1444b82e28bea gnupg-1.0.7-16.ia64.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: d15956e38c9d217ac93f5ed0cd5ce4f3 gnupg-1.0.7-16.src.rpm i386: cfcc3babbfc6f972dabbbac06e685f7d gnupg-1.0.7-16.i386.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: d15956e38c9d217ac93f5ed0cd5ce4f3 gnupg-1.0.7-16.src.rpm i386: cfcc3babbfc6f972dabbbac06e685f7d gnupg-1.0.7-16.i386.rpm Red Hat Enterprise Linux AS version 3: SRPMS: e37b4079cb0dc795de0019b14a363f2a gnupg-1.2.1-15.src.rpm i386: 8ef6ad0316bec8ede544c25cf7e30717 gnupg-1.2.1-15.i386.rpm ia64: 594517a016b7bc7bee68cbca40bd9ead gnupg-1.2.1-15.ia64.rpm ppc: ac5d223e4a840999eecb87bc2626f7f1 gnupg-1.2.1-15.ppc.rpm s390: 5bfa85eae3fda393ca1a80ef12107221 gnupg-1.2.1-15.s390.rpm s390x: a83363632fb9f9e77db7593f878c0136 gnupg-1.2.1-15.s390x.rpm x86_64: 0ec4f9ce23dc41ca9a0e17c40ba3fbd4 gnupg-1.2.1-15.x86_64.rpm Red Hat Desktop version 3: SRPMS: e37b4079cb0dc795de0019b14a363f2a gnupg-1.2.1-15.src.rpm i386: 8ef6ad0316bec8ede544c25cf7e30717 gnupg-1.2.1-15.i386.rpm x86_64: 0ec4f9ce23dc41ca9a0e17c40ba3fbd4 gnupg-1.2.1-15.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: e37b4079cb0dc795de0019b14a363f2a gnupg-1.2.1-15.src.rpm i386: 8ef6ad0316bec8ede544c25cf7e30717 gnupg-1.2.1-15.i386.rpm ia64: 594517a016b7bc7bee68cbca40bd9ead gnupg-1.2.1-15.ia64.rpm x86_64: 0ec4f9ce23dc41ca9a0e17c40ba3fbd4 gnupg-1.2.1-15.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: e37b4079cb0dc795de0019b14a363f2a gnupg-1.2.1-15.src.rpm i386: 8ef6ad0316bec8ede544c25cf7e30717 gnupg-1.2.1-15.i386.rpm ia64: 594517a016b7bc7bee68cbca40bd9ead gnupg-1.2.1-15.ia64.rpm x86_64: 0ec4f9ce23dc41ca9a0e17c40ba3fbd4 gnupg-1.2.1-15.x86_64.rpm Red Hat Enterprise Linux AS version 4: SRPMS: 174cd0720920c12354f2240722df75f9 gnupg-1.2.6-3.src.rpm i386: 355d8f416080f4630fde887d970aa5aa gnupg-1.2.6-3.i386.rpm ia64: d414315f567d1e29f59e0b39b94e067e gnupg-1.2.6-3.ia64.rpm ppc: 8b2400f89d1a5238988fd5d55cbc6ac6 gnupg-1.2.6-3.ppc.rpm s390: e6cc5d8bb6055da2bd328261485b1097 gnupg-1.2.6-3.s390.rpm s390x: ec581afb36353fb531634cb835f4f3e1 gnupg-1.2.6-3.s390x.rpm x86_64: a9b6b5a4051daa5cf86aa7a3279e54a4 gnupg-1.2.6-3.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: SRPMS: 174cd0720920c12354f2240722df75f9 gnupg-1.2.6-3.src.rpm i386: 355d8f416080f4630fde887d970aa5aa gnupg-1.2.6-3.i386.rpm x86_64: a9b6b5a4051daa5cf86aa7a3279e54a4 gnupg-1.2.6-3.x86_64.rpm Red Hat Enterprise Linux ES version 4: SRPMS: 174cd0720920c12354f2240722df75f9 gnupg-1.2.6-3.src.rpm i386: 355d8f416080f4630fde887d970aa5aa gnupg-1.2.6-3.i386.rpm ia64: d414315f567d1e29f59e0b39b94e067e gnupg-1.2.6-3.ia64.rpm x86_64: a9b6b5a4051daa5cf86aa7a3279e54a4 gnupg-1.2.6-3.x86_64.rpm Red Hat Enterprise Linux WS version 4: SRPMS: 174cd0720920c12354f2240722df75f9 gnupg-1.2.6-3.src.rpm i386: 355d8f416080f4630fde887d970aa5aa gnupg-1.2.6-3.i386.rpm ia64: d414315f567d1e29f59e0b39b94e067e gnupg-1.2.6-3.ia64.rpm x86_64: a9b6b5a4051daa5cf86aa7a3279e54a4 gnupg-1.2.6-3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package 7.References: https://www.cve.org/CVERecord?id=CVE-2006-0049 https://www.cve.org/CVERecord?id=CVE-2006-0455 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2006 Red Hat, Inc. . Unveil the Red Hat Security Notice RHSA-2006:0266-01 which tackles critical vulnerabilities in gnupg. Ensure prompt updates!. gnupg Security, Red Hat Enterprise, Signature Fixes, Security Impact. . Severity: Important. LinuxSecurity.com Team
Mar 15, 2006
•Important
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!