|
Vulnerability Assessment & Network Security Forums |
|||||||||
If through a vulnerability assessment, a network security issue is detected for the vulnerability below, applying the appropriate security patches in a timely matter is very important. If you have detected that your system has already been compromised, following CERT's Network Security recovery document will assist with recommended steps for system recovery. Home >> Browse Vulnerability Assessment Database >> Red Hat Local Security Checks >> RHSA-2006-0266: gnupg Vulnerability Assessment Details
|
RHSA-2006-0266: gnupg |
||
Check for the version of the gnupg packages Detailed Explanation for this Vulnerability Assessment An updated GnuPG package that fixes signature verification flaws as well as minor bugs is now available. This update has been rated as having important security impact by the Red Hat Security Response Team. GnuPG is a utility for encrypting data and creating digital signatures. Tavis Ormandy discovered a bug in the way GnuPG verifies cryptographically signed data with detached signatures. It is possible for a possible hacker to construct a cryptographically signed message which could appear to come from a third party. When a victim processes a GnuPG message with a malformed detached signature, GnuPG ignores the malformed signature, processes and outputs the signed data, and exits with status 0, just as it would if the signature had been valid. In this case, GnuPG's exit status would not indicate that no signature verification had taken place. This issue would primarily be of concern when processing GnuPG results via an automated script. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0455 to this issue. Tavis Ormandy also discovered a bug in the way GnuPG verifies cryptographically signed data with inline signatures. It is possible for an attacker to inject unsigned data into a signed message in such a way that when a victim processes the message to recover the data, the unsigned data is output along with the signed data, gaining the appearance of having been signed. This issue is mitigated in the GnuPG shipped with Red Hat Enterprise Linux as the --ignore-crc-error option must be passed to the gpg executable for this attack to be successful. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0049 to this issue. Please note that neither of these issues affect the way RPM or up2date verify RPM package files, nor is RPM vulnerable to either of these issues. All users of GnuPG are advised to upgrade to this updated package, which contains backported patches to correct these issues. Solution : http://rhn.redhat.com/errata/RHSA-2006-0266.html Network Security Threat Level: High Networks Security ID: Vulnerability Assessment Copyright: This script is Copyright (C) 2006 Tenable Network Security |
||
Cables, Connectors |
Apple Mac Powerbook Duo 230 Vintage Laptop
$60.00
Lot Of Two Vintage Apple Macintosh Computers Models 128k M0001 For Parts
$250.00
Vintage Apple Macintosh SE Case - Empty Shell - Housing retro project
$60.00
VINTAGE APPLE MACINTOSH POWERBOOK 180 ( M4440) Powers On
$100.00
Apple Studio Display Monitor M2454 15" vintage Mac LCD
$80.00
Vintage Power Mac G4 1843 / 450MHz / 256MB RAM / ZIP / DVD / NO HDD or Bracket
$60.00
Apple Macintosh ASK M0116 Vintage Keyboard Alps Keycaps (INCOMPLETE)
$14.99
Apple Macintosh SE/30 M5119 Vintage Mac Computer BAD FLOPPY DRIVE FOR PARTS
$350.00
APPLE MACINTOSH PLUS M0001A Vintage Mac Computer Tested Working
$799.99
Vintage Apple Power Mac G4 M7886 Cube computer /w power supply (No os)
$350.00
|
||
No Discussions have been posted on this vulnerability. |