Date: Thu, 24 Aug 2000 19:02:19 -0700 To: CERT Coordination Center From: Philip Zimmermann -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We at NAI/PGP Security regret this important bug in the ADK feature that has been described on various Internet postings today (Thursday 24 Aug). We were made aware of this bug in PGP early this morning. We are responding as fast as we can, and expect to have new 6.5.x releases out to fix this bug late Thursday evening. The MIT web site should have a new PGP 6.5.x freeware release early Friday, and the NAI/PGP web site should have patches out for the commercial releases at about the same time. As of this afternoon (Thursday), the PGP key server at PGP already filters out keys with the bogus ADK packets. We expect to have fixes available for the other key servers that run our software by tomorrow. We have also alerted the other vendors that make PGP key server software to the problem, and expect Highware/Veridis in Belgium to have their key servers filtering keys the same way by Friday. The fixes that we are releasing for the PGP client software filters out the offending ADK packets. We already warn the users whenever they are about to use an ADK, even in the normal case. We will have new information as soon as it becomes available at http://www.pgp.com. Philip Zimmermann prz@pgp.com 19:00 PDT Thursday 24 Aug 2000 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 (Build 200 Beta) iQA/AwUBOaXThGPLaR3669X8EQKfGACfagps8ZHCba21eOjoxRUb07Z59dkAoKRg vaKciU0kcW1l1i+eBS18aQNU =zoga -----END PGP SIGNATURE-----