[Announce] GnuPG security fix 1.0.6

Werner Koch wk@gnupg.org
Fri Jun 1 15:25:01 2001


--NKoe5XOeduwbEQHU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,

I have recently released a new version of GnuPG which fixes an
exploit found by fish stiqz as well has some other bugs:

    * Security fix for a format string bug in the tty code.

    * Fixed format string bugs in all PO files.=20

    * Removed Russian translation due to too many bugs.  The FTP
      server has an unofficial but better translation in the contrib
      directory.

    * Fixed expire time calculation and keyserver access.

    * The usual set of minor bug fixes and enhancements.

Although that the posted exploit code can only be used with a special
knowledge of the target machine, I STRONGLY ADVISE TO UPDATE GnuPG to
this new version.=20

This new release should be avalable at all mirror sites (see
http://www.gnupg.org/mirrors.html and below) and at the primary location:

 ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.0.6.tar.gz  (1896k)
 ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.0.6.tar.gz.sig

or as a patch file:

 ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.0.5-1.0.6.diff.gz (217k)

MD5 checksums are:

   7c319a9e5e70ad9bc3bf0d7b5008a508  gnupg-1.0.6.tar.gz
   71ae7d725776688c2e095d9672f38e61  gnupg-1.0.5-1.0.6.diff.gz

A binary distribution for MS Windows systems is available at:

  ftp://ftp.gnupg.org/gcrypt/binaty/gnupg-w32-1.0.6.zip
  ftp://ftp.gnupg.org/gcrypt/binaty/gnupg-w32-1.0.6.zip


After releasing this version it turned out that there is a small
glitch in the source when a compiler other than GCC is used.  If you
encounter a compile problem, you should fix it in include/ttyio.c
like this:

diff -r1.7.2.3 ttyio.h
27c27
<  void tty_printf  const char *fmt, ... );
---

> void tty_printf (const char *fmt, ... );
Due to the switch to a new gettext version, some systems may have problems with there own gettext version. Using=20 ./configure --with-included-gettext =20 should fix this (this is also mentioned in the INSTALL file) Have fun Werner Here is a list of sites mirroring ftp://ftp.gnupg.org/gcrypt/=20 Please use them if you can; new releases should show up on these servers within a day. This mirror list is also available at http://www.gnupg.org/mirrors.html Australia ftp://ftp.planetmirror.com/pub/gnupg/ http://ftp.planetmirror.com/pub/gnupg/ ftp://mirror.aarnet.edu.au/pub/gnupg/ Austria ftp://gd.tuwien.ac.at/privacy/gnupg/ http://gd.tuwien.ac.at/privacy/gnupg/ Belgium ftp://openbsd.rug.ac.be/pub/gcrypt/ ftp://gnupg.x-zone.org/pub/gnupg Czechia ftp://ftp.gnupg.cz/pub/gcrypt Denmark ftp://sunsite.dk/pub/security/gcrypt/ Finland ftp://ftp.jyu.fi/pub/crypt/gcrypt/ France ftp://ftp.strasbourg.linuxfr.org/pub/gnupg/ Germany ftp://ftp.franken.de/pub/crypt/mirror/ftp.guug.de/gcrypt/ ftp://ftp.freenet.de/pub/ftp.gnupg.org/pub/gcrypt/ Greece ftp://ftp.linux.gr/pub/crypto/gnupg/ ftp://hal.csd.auth.gr/mirrors/gnupg/ Hungary ftp://ftp.kfki.hu/pub/packages/security/gnupg/ Iceland ftp://ftp.hi.is/pub/mirrors/gnupg/ Ireland ftp://ftp.compsoc.com/pub/gnupg/ Italy ftp://ftp.linux.it/pub/mirrors/gnupg/ ftp://ftp3.linux.it/pub/mirrors/gnupg/ Japan ftp://pgp.iijlab.net/pub/gnupg/ ftp://ftp.ring.gr.jp/pub/net/gnupg/ http://www.ring.gr.jp/pub/net/gnupg/ Korea ftp://ftp.snu.ac.kr/pub/security/gnupg/ Poland ftp://sunsite.icm.edu.pl/pub/security/gnupg/ Spain ftp://dimonieta.udg.es/mirror/gnupg Sweden ftp://ftp.stacken.kth.se/pub/crypto/gnupg/ ftp://ftp.sunet.se:/pub/security/gnupg/ Switzerland ftp://sunsite.cnlab-switch.ch/mirror/gcrypt/ Taiwan ftp://coda.nctu.edu.tw/Security/gcrypt United Kingdom ftp://ftp.net.lut.ac.uk/gcrypt/ ftp://ftp.mirror.ac.uk/sites/ftp.gnupg.org/pub/gcrypt/ http://www.mirror.ac.uk/sites/ftp.gnupg.org/pub/gcrypt/ --=20 Werner Koch Omnis enim res, quae dando non deficit, dum habetur g10 Code GmbH et non datur, nondum habetur, quomodo habenda est. Privacy Solutions -- Augustinus --NKoe5XOeduwbEQHU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7F41ZbH7huGIcwBMRAlOOAKCCK9Q5D56P+fWKtv+Bcllrw8b93wCeNxN8 iOJAxMyN7Fsal+nlcK7xGRU= =w2y+ -----END PGP SIGNATURE----- --NKoe5XOeduwbEQHU-- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce