| |||||||||||||
Red Hat alert RHSA-2003:395-01 (gnupg)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated gnupg packages disable ElGamal keys Advisory ID: RHSA-2003:395-01 Issue date: 2003-12-10 Updated on: 2003-12-10 Product: Red Hat Enterprise Linux Keywords: gnupg elgamal sign encrypt Cross references: Obsoletes: CVE Names: CAN-2003-0971 - --------------------------------------------------------------------- 1. Topic: Updated gnupg packages are now available for Red Hat Enterprise Linux. These updates disable the ability to generate ElGamal keys (used for both signing and encrypting) and disable the ability to use ElGamal public keys for encrypting data. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux ES version 3 - i386 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: GnuPG is a utility for encrypting data and creating digital signatures. Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys, when those keys are used both to sign and encrypt data. This vulnerability can be used to trivially recover the private key. While the default behavior of GnuPG when generating keys does not lead to the creation of unsafe keys, by overriding the default settings an unsafe key could have been created. If you are using ElGamal keys, you should revoke those keys immediately. The packages included in this update do not make ElGamal keys safe to use; they merely include a patch by David Shaw that disables functions that would generate or use ElGamal keys. To determine if your key is affected, run the following command to obtain a list of secret keys that you have on your secret keyring: gpg --list-secret-keys The output of this command includes both the size and type of the keys found, and will look similar to this example: /home/example/.gnupg/secring.gpg - ---------------------------------------------------- sec 1024D/01234567 2000-10-17 Example User <example@example.com> uid Example User <example@example.com> The key length, type, and ID are listed together, separated by a forward slash. In the example output above, the key's type is "D" (DSA, sign and encrypt). Your key is unsafe if and only if the key type is "G" (ElGamal, sign and encrypt). In the above example, the secret key is safe to use, while the secret key in the following example is not: /home/example/.gnupg/secring.gpg - ---------------------------------------------------- sec 1024G/01234567 2000-10-17 Example User <example@example.com> uid Example User <example@example.com> For more details regarding this issue, as well as instructions on how to revoke any keys that are unsafe, refer to the advisory available from the GnuPG web site: http://www.gnupg.org/ 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. If up2date fails to connect to Red Hat Network due to SSL Certificate Errors, you need to install a version of the up2date client with an updated certificate. The latest version of up2date is available from the Red Hat FTP site and may also be downloaded directly from the RHN website: https://rhn.redhat.com/help/latest-up2date.pxt 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 111345 - CAN-2003-0971 GnuPG ElGamal compromise 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/gnupg-1.0.7-13.src.rpm i386: Available from Red Hat Network: gnupg-1.0.7-13.i386.rpm ia64: Available from Red Hat Network: gnupg-1.0.7-13.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/gnupg-1.0.7-13.src.rpm ia64: Available from Red Hat Network: gnupg-1.0.7-13.ia64.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/gnupg-1.0.7-13.src.rpm i386: Available from Red Hat Network: gnupg-1.0.7-13.i386.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/gnupg-1.0.7-13.src.rpm i386: Available from Red Hat Network: gnupg-1.0.7-13.i386.rpm Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/gnupg-1.2.1-10.src.rpm i386: Available from Red Hat Network: gnupg-1.2.1-10.i386.rpm ia64: Available from Red Hat Network: gnupg-1.2.1-10.ia64.rpm ppc: Available from Red Hat Network: gnupg-1.2.1-10.ppc.rpm s390: Available from Red Hat Network: gnupg-1.2.1-10.s390.rpm s390x: Available from Red Hat Network: gnupg-1.2.1-10.s390x.rpm x86_64: Available from Red Hat Network: gnupg-1.2.1-10.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/gnupg-1.2.1-10.src.rpm i386: Available from Red Hat Network: gnupg-1.2.1-10.i386.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/gnupg-1.2.1-10.src.rpm i386: Available from Red Hat Network: gnupg-1.2.1-10.i386.rpm ia64: Available from Red Hat Network: gnupg-1.2.1-10.ia64.rpm x86_64: Available from Red Hat Network: gnupg-1.2.1-10.x86_64.rpm 7. Verification: MD5 sum Package Name - -------------------------------------------------------------------------- b619c30c293094d7dcd18487d8e62a43 2.1AS/en/os/SRPMS/gnupg-1.0.7-13.src.rpm e7e3e75afd1ccd2267ccc7847c76ebb4 2.1AS/en/os/i386/gnupg-1.0.7-13.i386.rpm 6fb21011ca42ff395b8cfc7dce4c2936 2.1AS/en/os/ia64/gnupg-1.0.7-13.ia64.rpm b619c30c293094d7dcd18487d8e62a43 2.1AW/en/os/SRPMS/gnupg-1.0.7-13.src.rpm 6fb21011ca42ff395b8cfc7dce4c2936 2.1AW/en/os/ia64/gnupg-1.0.7-13.ia64.rpm b619c30c293094d7dcd18487d8e62a43 2.1ES/en/os/SRPMS/gnupg-1.0.7-13.src.rpm e7e3e75afd1ccd2267ccc7847c76ebb4 2.1ES/en/os/i386/gnupg-1.0.7-13.i386.rpm b619c30c293094d7dcd18487d8e62a43 2.1WS/en/os/SRPMS/gnupg-1.0.7-13.src.rpm e7e3e75afd1ccd2267ccc7847c76ebb4 2.1WS/en/os/i386/gnupg-1.0.7-13.i386.rpm a2015b94dc7a8b8b8b24036522f5a7f5 3AS/en/os/SRPMS/gnupg-1.2.1-10.src.rpm 9830e4ba4a1b5eb261e39ae5c9efd2b4 3AS/en/os/i386/gnupg-1.2.1-10.i386.rpm 1f50796a959836602552d5f94590269a 3AS/en/os/ia64/gnupg-1.2.1-10.ia64.rpm b7728dde4a9b9e864a5993de3b0af8ce 3AS/en/os/ppc/gnupg-1.2.1-10.ppc.rpm 8ffa950e28d01c05a1bf5e3beb462d35 3AS/en/os/s390/gnupg-1.2.1-10.s390.rpm 986220a49e895db43dbf37778613e628 3AS/en/os/s390x/gnupg-1.2.1-10.s390x.rpm d7fc757e68c14f273c2a1bd5d6a3af8f 3AS/en/os/x86_64/gnupg-1.2.1-10.x86_64.rpm a2015b94dc7a8b8b8b24036522f5a7f5 3ES/en/os/SRPMS/gnupg-1.2.1-10.src.rpm 9830e4ba4a1b5eb261e39ae5c9efd2b4 3ES/en/os/i386/gnupg-1.2.1-10.i386.rpm a2015b94dc7a8b8b8b24036522f5a7f5 3WS/en/os/SRPMS/gnupg-1.2.1-10.src.rpm 9830e4ba4a1b5eb261e39ae5c9efd2b4 3WS/en/os/i386/gnupg-1.2.1-10.i386.rpm 1f50796a959836602552d5f94590269a 3WS/en/os/ia64/gnupg-1.2.1-10.ia64.rpm d7fc757e68c14f273c2a1bd5d6a3af8f 3WS/en/os/x86_64/gnupg-1.2.1-10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key is available from https://www.redhat.com/security/keys.html You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum <filename> 8. References: http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html http://lists.gnupg.org/pipermail/gnupg-users/2003-November/020779.html http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000277.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0971 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/solutions/security/news/contact.html Copyright 2003 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/19/DXlSAg2UNWIIRAvkFAJ9G1H3ybTaZRfCj/chSQLEYZauszQCgi/PD Z2Kho9a/DjV1dygUW2+cR6I= =sLY1 -----END PGP SIGNATURE----- -- Enterprise-watch-list mailing list Enterprise-watch-list@redhat.com https://www.redhat.com/mailman/listinfo/enterprise-watch-list (Log in to post comments)
|
|||||||||||||