[Announce] GnuPG security fix

Werner Koch wk at gnupg.org
Tue Oct 17 19:47:01 CEST 2000


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello!

A bug in GnuPG's signature verification function has recently been
found: 

If you have more than one signature (either cleartext or binary
ones) in a file (or pipe that to gpg), gpg does not compare each
signature but flags each document as good or bad depending on the
first document in the file. It is possible to use this bug to fake
signatures (it most cases it needs some social engineering but it is
not that complicated).

     IT IS RECOMMENDED TO UPDATE TO THIS NEW 1.0.4 RELEASE WHICH
                       FIXES THE PROBLEM!

GnuPG version 1.0.4 is now available at the address below and should
show up on the mirrors within a day.

   ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gnupg-1.0.4.tar.gz  (1685k)
   ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gnupg-1.0.4.tar.gz.sig 
      
A diff against 1.0.3 is also available:

 ftp://ftp.guug.de/pub/gcrypt/gnupg/gnupg-1.0.3-1.0.4.diff.gz  (116k)

MD5 checksums of the above files are:

   bef2267bfe9b74a00906a78db34437f9  gnupg-1.0.4.tar.gz
   c79711f3c6b79acb733f79fe0f36a8c2  gnupg-1.0.3-1.0.4.diff.gz


So, what's new in this version:

   * Fixed a serious bug which could lead to false signature
     verification results when more than one signature is fed to
     gpg.  This is the primary reason for releasing this version.

   * New utility gpgv which is a stripped down version of gpg to be
     used to verify signatures against a list of trusted keys.
      
   * Rijndael (AES) is now supported and listed with top preference.
	  
   * --with-colons now works with --print-md[s].

Some other bugs are also fixed.

Due to the need for this security update, we have not yet
accomplished to fix some build problems on HP/UX, AIX, Solaris and
probably some other OSes.  GNU/Linux should work just fine.

Debian and RPM packages will be available really soon.

I apologize for this bug and any inconvenience you have with this.,

  Werner


p.s.
Here is a list of sites mirroring ftp://ftp.gnupg.org/pub/gcrypt/
Please use them if you can; new releases should show up on these
servers within a day.

    Australia

        ftp://orcus.progsoc.uts.edu.au/pub/gnupg/
        http://orcus.progsoc.uts.edu.au/pub/gnupg/
        rsync://orcus.progsoc.uts.edu.au/pub/gnupg/
        ftp://mirror.aarnet.edu.au/pub/gnupg/
        http://mirror.aarnet.edu.au/pub/gnupg/

    Austria

        ftp://gd.tuwien.ac.at/privacy/gnupg/

    Belgium

        ftp://openbsd.rug.ac.be/pub/gcrypt/

    Canada

        ftp://crypto.yashy.com/pub/cryptography/gnupg/

    Denmark

        ftp://sunsite.auc.dk/pub/security/gcrypt/

    Finland

        ftp://ftp.jyu.fi/pub/crypt/gcrypt/

    France

        ftp://ftp.strasbourg.linuxfr.org/pub/gnupg/

    Germany

        ftp://ftp.franken.de/pub/crypt/mirror/ftp.guug.de/gcrypt/
        ftp://ftp.freenet.de/pub/ftp.gnupg.org/pub/gcrypt/
        ftp://ftp.gigabell.net/pub/gnupg

    Greece

        ftp://ftp.linux.gr/pub/crypto/gnupg/

    Hungary

        ftp://ftp.kfki.hu/pub/packages/security/gnupg/

    Iceland

        ftp://ftp.hi.is/pub/mirrors/gnupg/

    Ireland

        ftp://ftp.compsoc.com/pub/gnupg/

    Italy

        ftp://ftp.linux.it/pub/mirrors/gnupg/
        ftp://ftp3.linux.it/pub/mirrors/gnupg/

    Japan

        ftp://pgp.iijlab.net/pub/gnupg/
        ftp://ftp.ring.gr.jp/pub/net/gnupg/
        http://www.ring.gr.jp/pub/net/gnupg/

    Poland

        ftp://sunsite.icm.edu.pl/pub/security/gnupg/

    Spain

        ftp://dimonieta.udg.es/mirror/gnupg

    Sweden

        ftp://ftp.stacken.kth.se/pub/crypto/gnupg/
        ftp://ftp.sunet.se:/pub/security/gnupg/

    Switzerland

        ftp://sunsite.cnlab-switch.ch/mirror/gcrypt/

    Taiwan

        ftp://coda.nctu.edu.tw/Security/gcrypt

    United Kingdom

        ftp://ftp.net.lut.ac.uk/gcrypt/
        ftp://ftp.mirror.ac.uk/sites/ftp.gnupg.org/pub/gcrypt/
        http://www.mirror.ac.uk/sites/ftp.gnupg.org/pub/gcrypt/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE57JAybH7huGIcwBMRAo6RAJ4/pl5ylyJLerkrr2ePX5oodsxp1gCgvIvk
qQkJdXpPu4bebV/q3JW8qWs=
=o7O0
-----END PGP SIGNATURE-----


-- 
Werner Koch				GnuPG key:  621CC013
OpenIT GmbH                             http://www.OpenIT.de


-- 
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of  "unsubscribe"  to gnupg-users-request at gnupg.org



More information about the Gnupg-announce mailing list