Skip to navigation

Security Advisory Important: gnupg security update

Advisory: RHSA-2007:0106-2
Type: Security Advisory
Severity: Important
Issued on: 2007-03-06
Last updated on: 2007-03-06
Affected Products: Red Hat Desktop (v. 3)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 2.1)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 2.1)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 2.1)
Red Hat Enterprise Linux WS (v. 3)
Red Hat Enterprise Linux WS (v. 4)
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
CVEs (cve.mitre.org): CVE-2007-1263

Details

Updated GnuPG packages that fix a security issue are now available.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

GnuPG is a utility for encrypting data and creating digital signatures.

Gerardo Richarte discovered that a number of applications that make use of
GnuPG are prone to a vulnerability involving incorrect verification of
signatures and encryption. An attacker could add arbitrary content to a
signed message in such a way that a receiver of the message would not be
able to distinguish between the properly signed parts of a message and the
forged, unsigned, parts. (CVE-2007-1263)

Whilst this is not a vulnerability in GnuPG itself, the GnuPG team have
produced a patch to protect against messages with multiple plaintext
packets. Users should update to these erratum packages which contain the
backported patch for this issue.

Red Hat would like to thank Core Security Technologies for reporting this
issue.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Desktop (v. 3)

SRPMS:
gnupg-1.2.1-20.src.rpm     MD5: b58f2218e4869dd8b945f86b739d51f2
 
IA-32:
gnupg-1.2.1-20.i386.rpm     MD5: 7567e3eeca9c11a2b0c33bf2e1c052f3
 
x86_64:
gnupg-1.2.1-20.x86_64.rpm     MD5: ca2ba72abdb891c81a8e0afcc489771d
 
Red Hat Desktop (v. 4)

SRPMS:
gnupg-1.2.6-9.src.rpm
File outdated by:  RHBA-2010:0447
    MD5: 66d7a97de1bf7d07f5bc403afb08b5a1
 
IA-32:
gnupg-1.2.6-9.i386.rpm
File outdated by:  RHBA-2010:0447
    MD5: ff1fcc16803666fa6bb3778b8c765024
 
x86_64:
gnupg-1.2.6-9.x86_64.rpm
File outdated by:  RHBA-2010:0447
    MD5: 4f0348791dde513a605037eab21b0989
 
Red Hat Enterprise Linux AS (v. 2.1)

SRPMS:
gnupg-1.0.7-21.src.rpm     MD5: f2de74bb383030835808bf772b778d03
 
IA-32:
gnupg-1.0.7-21.i386.rpm     MD5: bdefd567317e73068bc7d8548eef9b62
 
IA-64:
gnupg-1.0.7-21.ia64.rpm     MD5: 7d9c9f00a769a8bc3ad6cb7d9c873405
 
Red Hat Enterprise Linux AS (v. 3)

SRPMS:
gnupg-1.2.1-20.src.rpm     MD5: b58f2218e4869dd8b945f86b739d51f2
 
IA-32:
gnupg-1.2.1-20.i386.rpm     MD5: 7567e3eeca9c11a2b0c33bf2e1c052f3
 
IA-64:
gnupg-1.2.1-20.ia64.rpm     MD5: 9a74ed7d363226b9b314500427a9639e
 
PPC:
gnupg-1.2.1-20.ppc.rpm     MD5: 93c308be7bc7625938b63e350d697be0
 
s390:
gnupg-1.2.1-20.s390.rpm     MD5: 993e706b31617cf75c0a574c1a16f130
 
s390x:
gnupg-1.2.1-20.s390x.rpm     MD5: bb4efa201f02ada7389c237fedea3499
 
x86_64:
gnupg-1.2.1-20.x86_64.rpm     MD5: ca2ba72abdb891c81a8e0afcc489771d
 
Red Hat Enterprise Linux AS (v. 4)

SRPMS:
gnupg-1.2.6-9.src.rpm
File outdated by:  RHBA-2010:0447
    MD5: 66d7a97de1bf7d07f5bc403afb08b5a1
 
IA-32:
gnupg-1.2.6-9.i386.rpm
File outdated by:  RHBA-2010:0447
    MD5: ff1fcc16803666fa6bb3778b8c765024
 
IA-64:
gnupg-1.2.6-9.ia64.rpm
File outdated by:  RHBA-2010:0447
    MD5: b86560b6a5ba00907fbc78bef4f0da72
 
PPC:
gnupg-1.2.6-9.ppc.rpm
File outdated by:  RHBA-2010:0447
    MD5: 5a0664072856b2ac8afc817848b0d4c7
 
s390:
gnupg-1.2.6-9.s390.rpm
File outdated by:  RHBA-2010:0447
    MD5: 8f0f1c9e231b2010f7c48dd4efe74c39
 
s390x:
gnupg-1.2.6-9.s390x.rpm
File outdated by:  RHBA-2010:0447
    MD5: 930d4d567445b86111e21109f14635f1
 
x86_64:
gnupg-1.2.6-9.x86_64.rpm
File outdated by:  RHBA-2010:0447
    MD5: 4f0348791dde513a605037eab21b0989
 
Red Hat Enterprise Linux ES (v. 2.1)

SRPMS:
gnupg-1.0.7-21.src.rpm     MD5: f2de74bb383030835808bf772b778d03
 
IA-32:
gnupg-1.0.7-21.i386.rpm     MD5: bdefd567317e73068bc7d8548eef9b62
 
Red Hat Enterprise Linux ES (v. 3)

SRPMS:
gnupg-1.2.1-20.src.rpm     MD5: b58f2218e4869dd8b945f86b739d51f2
 
IA-32:
gnupg-1.2.1-20.i386.rpm     MD5: 7567e3eeca9c11a2b0c33bf2e1c052f3
 
IA-64:
gnupg-1.2.1-20.ia64.rpm     MD5: 9a74ed7d363226b9b314500427a9639e
 
x86_64:
gnupg-1.2.1-20.x86_64.rpm     MD5: ca2ba72abdb891c81a8e0afcc489771d
 
Red Hat Enterprise Linux ES (v. 4)

SRPMS:
gnupg-1.2.6-9.src.rpm
File outdated by:  RHBA-2010:0447
    MD5: 66d7a97de1bf7d07f5bc403afb08b5a1
 
IA-32:
gnupg-1.2.6-9.i386.rpm
File outdated by:  RHBA-2010:0447
    MD5: ff1fcc16803666fa6bb3778b8c765024
 
IA-64:
gnupg-1.2.6-9.ia64.rpm
File outdated by:  RHBA-2010:0447
    MD5: b86560b6a5ba00907fbc78bef4f0da72
 
x86_64:
gnupg-1.2.6-9.x86_64.rpm
File outdated by:  RHBA-2010:0447
    MD5: 4f0348791dde513a605037eab21b0989
 
Red Hat Enterprise Linux WS (v. 2.1)

SRPMS:
gnupg-1.0.7-21.src.rpm     MD5: f2de74bb383030835808bf772b778d03
 
IA-32:
gnupg-1.0.7-21.i386.rpm     MD5: bdefd567317e73068bc7d8548eef9b62
 
Red Hat Enterprise Linux WS (v. 3)

SRPMS:
gnupg-1.2.1-20.src.rpm     MD5: b58f2218e4869dd8b945f86b739d51f2
 
IA-32:
gnupg-1.2.1-20.i386.rpm     MD5: 7567e3eeca9c11a2b0c33bf2e1c052f3
 
IA-64:
gnupg-1.2.1-20.ia64.rpm     MD5: 9a74ed7d363226b9b314500427a9639e
 
x86_64:
gnupg-1.2.1-20.x86_64.rpm     MD5: ca2ba72abdb891c81a8e0afcc489771d
 
Red Hat Enterprise Linux WS (v. 4)

SRPMS:
gnupg-1.2.6-9.src.rpm
File outdated by:  RHBA-2010:0447
    MD5: 66d7a97de1bf7d07f5bc403afb08b5a1
 
IA-32:
gnupg-1.2.6-9.i386.rpm
File outdated by:  RHBA-2010:0447
    MD5: ff1fcc16803666fa6bb3778b8c765024
 
IA-64:
gnupg-1.2.6-9.ia64.rpm
File outdated by:  RHBA-2010:0447
    MD5: b86560b6a5ba00907fbc78bef4f0da72
 
x86_64:
gnupg-1.2.6-9.x86_64.rpm
File outdated by:  RHBA-2010:0447
    MD5: 4f0348791dde513a605037eab21b0989
 
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor

SRPMS:
gnupg-1.0.7-21.src.rpm     MD5: f2de74bb383030835808bf772b778d03
 
IA-64:
gnupg-1.0.7-21.ia64.rpm     MD5: 7d9c9f00a769a8bc3ad6cb7d9c873405
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

230456 - CVE-2007-1263 gnupg signed message spoofing


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/