Date: Tue, 17 Oct 2000 19:47:01 +0200 From: Werner Koch To: gnupg-announce@gnupg.org Subject: [Announce] GnuPG security fix -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! A bug in GnuPG's signature verification function has recently been found: If you have more than one signature (either cleartext or binary ones) in a file (or pipe that to gpg), gpg does not compare each signature but flags each document as good or bad depending on the first document in the file. It is possible to use this bug to fake signatures (it most cases it needs some social engineering but it is not that complicated). IT IS RECOMMENDED TO UPDATE TO THIS NEW 1.0.4 RELEASE WHICH FIXES THE PROBLEM! GnuPG version 1.0.4 is now available at the address below and should show up on the mirrors within a day. ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gnupg-1.0.4.tar.gz (1685k) ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gnupg-1.0.4.tar.gz.sig A diff against 1.0.3 is also available: ftp://ftp.guug.de/pub/gcrypt/gnupg/gnupg-1.0.3-1.0.4.diff.gz (116k) MD5 checksums of the above files are: bef2267bfe9b74a00906a78db34437f9 gnupg-1.0.4.tar.gz c79711f3c6b79acb733f79fe0f36a8c2 gnupg-1.0.3-1.0.4.diff.gz So, what's new in this version: * Fixed a serious bug which could lead to false signature verification results when more than one signature is fed to gpg. This is the primary reason for releasing this version. * New utility gpgv which is a stripped down version of gpg to be used to verify signatures against a list of trusted keys. * Rijndael (AES) is now supported and listed with top preference. * --with-colons now works with --print-md[s]. Some other bugs are also fixed. Due to the need for this security update, we have not yet accomplished to fix some build problems on HP/UX, AIX, Solaris and probably some other OSes. GNU/Linux should work just fine. Debian and RPM packages will be available really soon. I apologize for this bug and any inconvenience you have with this., Werner p.s. Here is a list of sites mirroring ftp://ftp.gnupg.org/pub/gcrypt/ Please use them if you can; new releases should show up on these servers within a day. Australia ftp://orcus.progsoc.uts.edu.au/pub/gnupg/ http://orcus.progsoc.uts.edu.au/pub/gnupg/ rsync://orcus.progsoc.uts.edu.au/pub/gnupg/ ftp://mirror.aarnet.edu.au/pub/gnupg/ http://mirror.aarnet.edu.au/pub/gnupg/ Austria ftp://gd.tuwien.ac.at/privacy/gnupg/ Belgium ftp://openbsd.rug.ac.be/pub/gcrypt/ Canada ftp://crypto.yashy.com/pub/cryptography/gnupg/ Denmark ftp://sunsite.auc.dk/pub/security/gcrypt/ Finland ftp://ftp.jyu.fi/pub/crypt/gcrypt/ France ftp://ftp.strasbourg.linuxfr.org/pub/gnupg/ Germany ftp://ftp.franken.de/pub/crypt/mirror/ftp.guug.de/gcrypt/ ftp://ftp.freenet.de/pub/ftp.gnupg.org/pub/gcrypt/ ftp://ftp.gigabell.net/pub/gnupg Greece ftp://ftp.linux.gr/pub/crypto/gnupg/ Hungary ftp://ftp.kfki.hu/pub/packages/security/gnupg/ Iceland ftp://ftp.hi.is/pub/mirrors/gnupg/ Ireland ftp://ftp.compsoc.com/pub/gnupg/ Italy ftp://ftp.linux.it/pub/mirrors/gnupg/ ftp://ftp3.linux.it/pub/mirrors/gnupg/ Japan ftp://pgp.iijlab.net/pub/gnupg/ ftp://ftp.ring.gr.jp/pub/net/gnupg/ http://www.ring.gr.jp/pub/net/gnupg/ Poland ftp://sunsite.icm.edu.pl/pub/security/gnupg/ Spain ftp://dimonieta.udg.es/mirror/gnupg Sweden ftp://ftp.stacken.kth.se/pub/crypto/gnupg/ ftp://ftp.sunet.se:/pub/security/gnupg/ Switzerland ftp://sunsite.cnlab-switch.ch/mirror/gcrypt/ Taiwan ftp://coda.nctu.edu.tw/Security/gcrypt United Kingdom ftp://ftp.net.lut.ac.uk/gcrypt/ ftp://ftp.mirror.ac.uk/sites/ftp.gnupg.org/pub/gcrypt/ http://www.mirror.ac.uk/sites/ftp.gnupg.org/pub/gcrypt/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE57JAybH7huGIcwBMRAo6RAJ4/pl5ylyJLerkrr2ePX5oodsxp1gCgvIvk qQkJdXpPu4bebV/q3JW8qWs= =o7O0 -----END PGP SIGNATURE----- -- Werner Koch GnuPG key: 621CC013 OpenIT GmbH http://www.OpenIT.de -- Archive is at http://lists.gnupg.org - Unsubscribe by sending mail with a subject of "unsubscribe" to gnupg-users-request@gnupg.org