• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

GnuPG ElGamal Signing Key Private Key Compromise Vulnerability

Solution:
Debian has released an updated advisory (DSA 429-2) and fixes to address this issue. Please see the referenced advisory for links to fixed packages.

Red Hat has released an advisory (RHSA-2003:390-01) that includes fixes for this issue. Please see the attached advisory for details on obtaining and applying fixes.

Conectiva has released an advisory that includes fixes for this issue.

Mandrake has released an advisory and fixes for this issue.

SuSE has released an advisory (SuSE-SA:2003:048) that includes fixes for this issue. Please see the attached advisory for details on obtaining and applying fixes.

The vendor has released a patch for this issue that can be applied to version 1.2.3. This fix will also be included in the next version.

Gentoo has released an advisory (200312-05) to address this issue. All Gentoo Linux systems should be updated to use gnupg-1.2.3-r5 or higher as follows:

emerge sync
emerge -pv '>=app-crypt/gnupg-1.2.3-r5'
emerge '>=app-crypt/gnupg-1.2.3-r5'
emerge clean

TurboLinux has released advisory TLSA-2003-68 and fixes to address this issue.

SGI advisory 20031203-01-U has been released to address this issue.

Debian has released an advisory (DSA 429-1) and fixes to address this issue. Please see the referenced advisory for links to fixed packages.

SGI has released an advisory 20040202-01-U to address this and other issues in SGI ProPack 2.4. Please see the referenced advisory for more information.

SCO has released advisory CSSA-2004-009.0 to address this issue.

Fixes are available below:


RedHat gnupg-1.0.7-6.i386.rpm

• Red Hat gnupg-1.0.7-14.i386.rpm
  ftp://updates.redhat.com/8.0/en/os/i386/gnupg-1.0.7-14.i386.rpm

RedHat gnupg-1.2.1-3.i386.rpm

• Red Hat gnupg-1.2.1-9.i386.rpm
  ftp://updates.redhat.com/9/en/os/i386/gnupg-1.2.1-9.i386.rpm

RedHat gnupg-1.0.6-3.ia64.rpm

• Red Hat gnupg-1.0.7-13.ia64.rpm
  ftp://updates.redhat.com/7.2/en/os/ia64/gnupg-1.0.7-13.ia64.rpm

RedHat gnupg-1.0.6-3.i386.rpm

• Red Hat gnupg-1.0.7-13.i386.rpm
  ftp://updates.redhat.com/7.2/en/os/i386/gnupg-1.0.7-13.i386.rpm

RedHat gnupg-1.0.4-11.i386.rpm

• Red Hat gnupg-1.0.7-12.i386.rpm
  ftp://updates.redhat.com/7.1/en/os/i386/gnupg-1.0.7-12.i386.rpm

RedHat gnupg-1.0.6-5.i386.rpm

• Red Hat gnupg-1.0.7-13.i386.rpm
  ftp://updates.redhat.com/7.3/en/os/i386/gnupg-1.0.7-13.i386.rpm

GNU GNU Privacy Guard 1.0.7

• Conectiva gnupg-1.0.7-1U80_3cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/8/RPMS/gnupg-1.0.7-1U80_3cl.i386.r pm


• Conectiva gnupg-doc-1.0.7-1U80_3cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/8/RPMS/gnupg-doc-1.0.7-1U80_3cl.i3 86.rpm


• Mandrake gnupg-1.0.7-3.2.90mdk.i586.rpm
  Mandrake Linux 9.0.
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake gnupg-1.0.7-3.2.C21mdk.i586.rpm
  Mandrake Corporate Server 2.1.
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake gnupg-1.0.7-3.2.C21mdk.x86_64.rpm
  Mandrake Corporate Server 2.1/x86_64.
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake gnupg-1.0.7-3.2.M82mdk.i586.rpm
  Mandrake Multi Network Firewall 8.2.
  http://www.mandrakesecure.net/en/ftp.php


• TurboLinux gnupg-1.0.7-4.i386.rpm
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/ updates/RPMS/gnupg-1.0.7-4.i386.rpm


• TurboLinux gnupg-1.0.7-4.i386.rpm
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/upd ates/RPMS/gnupg-1.0.7-4.i386.rpm


• TurboLinux gnupg-1.0.7-4.i386.rpm
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6. 0/ja/updates/RPMS/gnupg-1.0.7-4.i386.rpm


• TurboLinux gnupg-1.0.7-4.i586.rpm
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updat es/RPMS/gnupg-1.0.7-4.i586.rpm


• TurboLinux gnupg-1.0.7-4.i586.rpm
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updat es/RPMS/gnupg-1.0.7-4.i586.rpm


• TurboLinux gnupg-1.0.7-4.i586.rpm
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/ updates/RPMS/gnupg-1.0.7-4.i586.rpm


• TurboLinux gnupg-1.0.7-4.i586.rpm
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/ updates/RPMS/gnupg-1.0.7-4.i586.rpm

GNU GNU Privacy Guard 1.2.2

• Mandrake gnupg-1.2.2-1.2.91mdk.i586.rpm
  Mandrake Linux 9.1.
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake gnupg-1.2.2-1.2.91mdk.ppc.rpm
  Mandrake Linux 9.1/PPC.
  http://www.mandrakesecure.net/en/ftp.php


• SCO gnupg-1.2.2-2.i386.rpm
  ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-009.0/R PMS/gnupg-1.2.2-2.i386.rpm


• SCO gnupg-1.2.2-2.i386.rpm
  ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-00 9.0/RPMS/gnupg-1.2.2-2.i386.rpm


• SuSE gpg-1.2.2-117.x86_64.patch.rpm
  Patch RPM.
  ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/gpg-1.2.2-117 .x86_64.patch.rpm


• SuSE gpg-1.2.2-117.x86_64.rpm
  ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/gpg-1.2.2-117 .x86_64.rpm


• SuSE gpg-1.2.2-121.i586.patch.rpm
  Patch RPM.
  ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/gpg-1.2.2-121.i58 6.patch.rpm


• SuSE gpg-1.2.2-121.i586.rpm
  ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/gpg-1.2.2-121.i58 6.rpm

GNU GNU Privacy Guard 1.2.2 -rc1

• SuSE gpg-1.2.2rc1-98.i586.patch.rpm
  Patch RPM.
  ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/gpg-1.2.2rc1-98.i 586.patch.rpm


• SuSE gpg-1.2.2rc1-98.i586.rpm
  ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/gpg-1.2.2rc1-98.i 586.rpm

GNU GNU Privacy Guard 1.2.3

• Conectiva gnupg-1.2.3-19780U90_1cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/9/RPMS/gnupg-1.2.3-19780U90_1cl.i3 86.rpm


• Conectiva gnupg-doc-1.2.3-19780U90_1cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/9/RPMS/gnupg-doc-1.2.3-19780U90_1c l.i386.rpm


• Conectiva gnupg-keyserver-plugins-1.2.3-19780U90_1cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/9/RPMS/gnupg-keyserver-plugins-1.2 .3-19780U90_1cl.i386.rpm


• Mandrake gnupg-1.2.3-3.1.92mdk.i586.rpm
  http://www.mandrakesecure.net/en/ftp.php


• TurboLinux gnupg-1.2.3-2.i586.rpm
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/upd ates/RPMS/gnupg-1.2.3-2.i586.rpm

SGI ProPack 2.4

• SGI patch10044.tar.gz
  ftp://patches.sgi.com/support/free/security/patches/ProPack/2.4/patch1 0044.tar.gz