Mailing List Archive

GnuPG security fix
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello!

A bug in GnuPG's signature verification function has recently been
found:

If you have more than one signature (either cleartext or binary
ones) in a file (or pipe that to gpg), gpg does not compare each
signature but flags each document as good or bad depending on the
first document in the file. It is possible to use this bug to fake
signatures (it most cases it needs some social engineering but it is
not that complicated).

IT IS RECOMMENDED TO UPDATE TO THIS NEW 1.0.4 RELEASE WHICH
FIXES THE PROBLEM!

GnuPG version 1.0.4 is now available at the address below and should
show up on the mirrors within a day.

ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gnupg-1.0.4.tar.gz (1685k)
ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gnupg-1.0.4.tar.gz.sig

A diff against 1.0.3 is also available:

ftp://ftp.guug.de/pub/gcrypt/gnupg/gnupg-1.0.3-1.0.4.diff.gz (116k)

MD5 checksums of the above files are:

bef2267bfe9b74a00906a78db34437f9 gnupg-1.0.4.tar.gz
c79711f3c6b79acb733f79fe0f36a8c2 gnupg-1.0.3-1.0.4.diff.gz


So, what's new in this version:

* Fixed a serious bug which could lead to false signature
verification results when more than one signature is fed to
gpg. This is the primary reason for releasing this version.

* New utility gpgv which is a stripped down version of gpg to be
used to verify signatures against a list of trusted keys.

* Rijndael (AES) is now supported and listed with top preference.

* --with-colons now works with --print-md[s].

Some other bugs are also fixed.

Due to the need for this security update, we have not yet
accomplished to fix some build problems on HP/UX, AIX, Solaris and
probably some other OSes. GNU/Linux should work just fine.

Debian and RPM packages will be available really soon.

I apologize for this bug and any inconvenience you have with this.,

Werner


p.s.
Here is a list of sites mirroring ftp://ftp.gnupg.org/pub/gcrypt/
Please use them if you can; new releases should show up on these
servers within a day.

Australia

ftp://orcus.progsoc.uts.edu.au/pub/gnupg/
http://orcus.progsoc.uts.edu.au/pub/gnupg/
rsync://orcus.progsoc.uts.edu.au/pub/gnupg/
ftp://mirror.aarnet.edu.au/pub/gnupg/
http://mirror.aarnet.edu.au/pub/gnupg/

Austria

ftp://gd.tuwien.ac.at/privacy/gnupg/

Belgium

ftp://openbsd.rug.ac.be/pub/gcrypt/

Canada

ftp://crypto.yashy.com/pub/cryptography/gnupg/

Denmark

ftp://sunsite.auc.dk/pub/security/gcrypt/

Finland

ftp://ftp.jyu.fi/pub/crypt/gcrypt/

France

ftp://ftp.strasbourg.linuxfr.org/pub/gnupg/

Germany

ftp://ftp.franken.de/pub/crypt/mirror/ftp.guug.de/gcrypt/
ftp://ftp.freenet.de/pub/ftp.gnupg.org/pub/gcrypt/
ftp://ftp.gigabell.net/pub/gnupg

Greece

ftp://ftp.linux.gr/pub/crypto/gnupg/

Hungary

ftp://ftp.kfki.hu/pub/packages/security/gnupg/

Iceland

ftp://ftp.hi.is/pub/mirrors/gnupg/

Ireland

ftp://ftp.compsoc.com/pub/gnupg/

Italy

ftp://ftp.linux.it/pub/mirrors/gnupg/
ftp://ftp3.linux.it/pub/mirrors/gnupg/

Japan

ftp://pgp.iijlab.net/pub/gnupg/
ftp://ftp.ring.gr.jp/pub/net/gnupg/
http://www.ring.gr.jp/pub/net/gnupg/

Poland

ftp://sunsite.icm.edu.pl/pub/security/gnupg/

Spain

ftp://dimonieta.udg.es/mirror/gnupg

Sweden

ftp://ftp.stacken.kth.se/pub/crypto/gnupg/
ftp://ftp.sunet.se:/pub/security/gnupg/

Switzerland

ftp://sunsite.cnlab-switch.ch/mirror/gcrypt/

Taiwan

ftp://coda.nctu.edu.tw/Security/gcrypt

United Kingdom

ftp://ftp.net.lut.ac.uk/gcrypt/
ftp://ftp.mirror.ac.uk/sites/ftp.gnupg.org/pub/gcrypt/
http://www.mirror.ac.uk/sites/ftp.gnupg.org/pub/gcrypt/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE57JAybH7huGIcwBMRAo6RAJ4/pl5ylyJLerkrr2ePX5oodsxp1gCgvIvk
qQkJdXpPu4bebV/q3JW8qWs=
=o7O0
-----END PGP SIGNATURE-----


--
Werner Koch GnuPG key: 621CC013
OpenIT GmbH http://www.OpenIT.de
GnuPG security fix [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello!

A bug in GnuPG's signature verification function has recently been
found:

If you have more than one signature (either cleartext or binary
ones) in a file (or pipe that to gpg), gpg does not compare each
signature but flags each document as good or bad depending on the
first document in the file. It is possible to use this bug to fake
signatures (it most cases it needs some social engineering but it is
not that complicated).

IT IS RECOMMENDED TO UPDATE TO THIS NEW 1.0.4 RELEASE WHICH
FIXES THE PROBLEM!

GnuPG version 1.0.4 is now available at the address below and should
show up on the mirrors within a day.

ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gnupg-1.0.4.tar.gz (1685k)
ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gnupg-1.0.4.tar.gz.sig

A diff against 1.0.3 is also available:

ftp://ftp.guug.de/pub/gcrypt/gnupg/gnupg-1.0.3-1.0.4.diff.gz (116k)

MD5 checksums of the above files are:

bef2267bfe9b74a00906a78db34437f9 gnupg-1.0.4.tar.gz
c79711f3c6b79acb733f79fe0f36a8c2 gnupg-1.0.3-1.0.4.diff.gz


So, what's new in this version:

* Fixed a serious bug which could lead to false signature
verification results when more than one signature is fed to
gpg. This is the primary reason for releasing this version.

* New utility gpgv which is a stripped down version of gpg to be
used to verify signatures against a list of trusted keys.

* Rijndael (AES) is now supported and listed with top preference.

* --with-colons now works with --print-md[s].

Some other bugs are also fixed.

Due to the need for this security update, we have not yet
accomplished to fix some build problems on HP/UX, AIX, Solaris and
probably some other OSes. GNU/Linux should work just fine.

Debian and RPM packages will be available really soon.

I apologize for this bug and any inconvenience you have with this.,

Werner


p.s.
Here is a list of sites mirroring ftp://ftp.gnupg.org/pub/gcrypt/
Please use them if you can; new releases should show up on these
servers within a day.

Australia

ftp://orcus.progsoc.uts.edu.au/pub/gnupg/
http://orcus.progsoc.uts.edu.au/pub/gnupg/
rsync://orcus.progsoc.uts.edu.au/pub/gnupg/
ftp://mirror.aarnet.edu.au/pub/gnupg/
http://mirror.aarnet.edu.au/pub/gnupg/

Austria

ftp://gd.tuwien.ac.at/privacy/gnupg/

Belgium

ftp://openbsd.rug.ac.be/pub/gcrypt/

Canada

ftp://crypto.yashy.com/pub/cryptography/gnupg/

Denmark

ftp://sunsite.auc.dk/pub/security/gcrypt/

Finland

ftp://ftp.jyu.fi/pub/crypt/gcrypt/

France

ftp://ftp.strasbourg.linuxfr.org/pub/gnupg/

Germany

ftp://ftp.franken.de/pub/crypt/mirror/ftp.guug.de/gcrypt/
ftp://ftp.freenet.de/pub/ftp.gnupg.org/pub/gcrypt/
ftp://ftp.gigabell.net/pub/gnupg

Greece

ftp://ftp.linux.gr/pub/crypto/gnupg/

Hungary

ftp://ftp.kfki.hu/pub/packages/security/gnupg/

Iceland

ftp://ftp.hi.is/pub/mirrors/gnupg/

Ireland

ftp://ftp.compsoc.com/pub/gnupg/

Italy

ftp://ftp.linux.it/pub/mirrors/gnupg/
ftp://ftp3.linux.it/pub/mirrors/gnupg/

Japan

ftp://pgp.iijlab.net/pub/gnupg/
ftp://ftp.ring.gr.jp/pub/net/gnupg/
http://www.ring.gr.jp/pub/net/gnupg/

Poland

ftp://sunsite.icm.edu.pl/pub/security/gnupg/

Spain

ftp://dimonieta.udg.es/mirror/gnupg

Sweden

ftp://ftp.stacken.kth.se/pub/crypto/gnupg/
ftp://ftp.sunet.se:/pub/security/gnupg/

Switzerland

ftp://sunsite.cnlab-switch.ch/mirror/gcrypt/

Taiwan

ftp://coda.nctu.edu.tw/Security/gcrypt

United Kingdom

ftp://ftp.net.lut.ac.uk/gcrypt/
ftp://ftp.mirror.ac.uk/sites/ftp.gnupg.org/pub/gcrypt/
http://www.mirror.ac.uk/sites/ftp.gnupg.org/pub/gcrypt/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE57JAybH7huGIcwBMRAo6RAJ4/pl5ylyJLerkrr2ePX5oodsxp1gCgvIvk
qQkJdXpPu4bebV/q3JW8qWs=
=o7O0
-----END PGP SIGNATURE-----


--
Werner Koch GnuPG key: 621CC013
OpenIT GmbH http://www.OpenIT.de
GnuPG security fix [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello!

A bug in GnuPG's signature verification function has recently been
found:

If you have more than one signature (either cleartext or binary
ones) in a file (or pipe that to gpg), gpg does not compare each
signature but flags each document as good or bad depending on the
first document in the file. It is possible to use this bug to fake
signatures (it most cases it needs some social engineering but it is
not that complicated).

IT IS RECOMMENDED TO UPDATE TO THIS NEW 1.0.4 RELEASE WHICH
FIXES THE PROBLEM!

GnuPG version 1.0.4 is now available at the address below and should
show up on the mirrors within a day.

ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gnupg-1.0.4.tar.gz (1685k)
ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gnupg-1.0.4.tar.gz.sig

A diff against 1.0.3 is also available:

ftp://ftp.guug.de/pub/gcrypt/gnupg/gnupg-1.0.3-1.0.4.diff.gz (116k)

MD5 checksums of the above files are:

bef2267bfe9b74a00906a78db34437f9 gnupg-1.0.4.tar.gz
c79711f3c6b79acb733f79fe0f36a8c2 gnupg-1.0.3-1.0.4.diff.gz


So, what's new in this version:

* Fixed a serious bug which could lead to false signature
verification results when more than one signature is fed to
gpg. This is the primary reason for releasing this version.

* New utility gpgv which is a stripped down version of gpg to be
used to verify signatures against a list of trusted keys.

* Rijndael (AES) is now supported and listed with top preference.

* --with-colons now works with --print-md[s].

Some other bugs are also fixed.

Due to the need for this security update, we have not yet
accomplished to fix some build problems on HP/UX, AIX, Solaris and
probably some other OSes. GNU/Linux should work just fine.

Debian and RPM packages will be available really soon.

I apologize for this bug and any inconvenience you have with this.,

Werner


p.s.
Here is a list of sites mirroring ftp://ftp.gnupg.org/pub/gcrypt/
Please use them if you can; new releases should show up on these
servers within a day.

Australia

ftp://orcus.progsoc.uts.edu.au/pub/gnupg/
http://orcus.progsoc.uts.edu.au/pub/gnupg/
rsync://orcus.progsoc.uts.edu.au/pub/gnupg/
ftp://mirror.aarnet.edu.au/pub/gnupg/
http://mirror.aarnet.edu.au/pub/gnupg/

Austria

ftp://gd.tuwien.ac.at/privacy/gnupg/

Belgium

ftp://openbsd.rug.ac.be/pub/gcrypt/

Canada

ftp://crypto.yashy.com/pub/cryptography/gnupg/

Denmark

ftp://sunsite.auc.dk/pub/security/gcrypt/

Finland

ftp://ftp.jyu.fi/pub/crypt/gcrypt/

France

ftp://ftp.strasbourg.linuxfr.org/pub/gnupg/

Germany

ftp://ftp.franken.de/pub/crypt/mirror/ftp.guug.de/gcrypt/
ftp://ftp.freenet.de/pub/ftp.gnupg.org/pub/gcrypt/
ftp://ftp.gigabell.net/pub/gnupg

Greece

ftp://ftp.linux.gr/pub/crypto/gnupg/

Hungary

ftp://ftp.kfki.hu/pub/packages/security/gnupg/

Iceland

ftp://ftp.hi.is/pub/mirrors/gnupg/

Ireland

ftp://ftp.compsoc.com/pub/gnupg/

Italy

ftp://ftp.linux.it/pub/mirrors/gnupg/
ftp://ftp3.linux.it/pub/mirrors/gnupg/

Japan

ftp://pgp.iijlab.net/pub/gnupg/
ftp://ftp.ring.gr.jp/pub/net/gnupg/
http://www.ring.gr.jp/pub/net/gnupg/

Poland

ftp://sunsite.icm.edu.pl/pub/security/gnupg/

Spain

ftp://dimonieta.udg.es/mirror/gnupg

Sweden

ftp://ftp.stacken.kth.se/pub/crypto/gnupg/
ftp://ftp.sunet.se:/pub/security/gnupg/

Switzerland

ftp://sunsite.cnlab-switch.ch/mirror/gcrypt/

Taiwan

ftp://coda.nctu.edu.tw/Security/gcrypt

United Kingdom

ftp://ftp.net.lut.ac.uk/gcrypt/
ftp://ftp.mirror.ac.uk/sites/ftp.gnupg.org/pub/gcrypt/
http://www.mirror.ac.uk/sites/ftp.gnupg.org/pub/gcrypt/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE57JAybH7huGIcwBMRAo6RAJ4/pl5ylyJLerkrr2ePX5oodsxp1gCgvIvk
qQkJdXpPu4bebV/q3JW8qWs=
=o7O0
-----END PGP SIGNATURE-----


--
Werner Koch GnuPG key: 621CC013
OpenIT GmbH http://www.OpenIT.de


--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org