Linux News
The world is talking about GNU/Linux and Free/Open Source Software

Login

If you don't have an account yet, visit the registration page to sign up.

If you already have an account, you may login here:

Today's Big Story

Starship Prompt: Customize Your Linux Shell with Ease

LXer Features

Linux That's Small

Encryption, Trust, and the Hidden Dangers of Vendor-Controlled Data

My Linux Mint Tribute

How I Turned My Chromebook Into A "Mintbook"

Adventures With My New Chromebook

My Linux Laptop

Have something to say?

Ready to be published? LXer is read by around 350,000 individuals each month, and is an excellent place for you to publish your ideas, thoughts, reviews, complaints, etc. Do you have something to say to the Linux community?

Publish it here.

DaniWeb Linux Community
An exciting professional discussion group about software development, php, shell scripting, networking, ruby, and more.

Latest Discussions

Switching Wallpapers With Hyprpaper on openSUSE Tumbleweed

Debian Installer Trixie RC 1 release (official announcement)

UPDATE as of 04/24/2025 Agama Installer works fine

Time travel baby!

Are they

Well... probably not as good as some might think

Plasma-desktop 4:6.3.0-1 MIGRATED to Debian testing

Uh, you're being lied to.

Debian May Be Leaning Towards Systemd Over Upstart

Retro Remake products

More...

Site Menu

Other News

- LWN.net
Their weekly coverage of Linux news is unmatched in this community.

- LinuxGizmos.com
Excellent news for embedded Linux.

- LinuxQuestions.org
Discussion forums for Linux users.

LinuxQuestions.org is a friendly and active Linux Community with forums, reviews, a hardware compatibility list, a wiki, tutorials, a download site, a podcast and more.

Debian alert: New gnupg packages fix cryptographic weakness

Posted by dave on Feb 14, 2004 2:39 AM CST
Mailing list

Mail this story
Print this story

Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 429-2                     [E-mail:security@debian.org]
http://www.debian.org/security/                             Matt Zimmerman
February 13th, 2004                     http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : gnupg
Vulnerability  : cryptographic weakness
Problem-Type   : local
Debian-specific: no
CVE Ids        : CAN-2003-0971

Phong Nguyen identified a severe bug in the way GnuPG creates and uses
ElGamal keys for signing.  This is a significant security failure
which can lead to a compromise of almost all ElGamal keys used for
signing.

The update provided in DSA 459-1 disables the use of this type of key,
using an interim fix.  This update, DSA 459-2, implements a more
correct and permanent fix provided by David Shaw.

For the current stable distribution (woody) this problem has been
fixed in version 1.0.6-4woody3.

We recommend that you update your gnupg package.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody3.dsc
      Size/MD5 checksum:      577 f5a742233c584754c479daf7dfe58a9e
    http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody3.diff.gz
      Size/MD5 checksum:     5262 1ecf9f459e0b05c31128adac05ef2fe4
    http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6.orig.tar.gz
      Size/MD5 checksum:  1941676 7c319a9e5e70ad9bc3bf0d7b5008a508

  Alpha architecture:

    http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody3_alpha.deb
      Size/MD5 checksum:  1150082 724d4fcb6f2ff0969b5ceba82e8aabe5

  ARM architecture:

    http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody3_arm.deb
      Size/MD5 checksum:   986748 8efdbc409f140c1aaefadb97646944d6

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody3_i386.deb
      Size/MD5 checksum:   966408 50e5e44b2efa34d7c7d3a8fd630dc96a

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody3_ia64.deb
      Size/MD5 checksum:  1271406 4c5e77defc13bf4bae3d11431257e6a3

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody3_hppa.deb
      Size/MD5 checksum:  1058822 02516b6984cf695ef31c970980d36864

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody3_m68k.deb
      Size/MD5 checksum:   942188 ed7d9d16820608b3172be64f6b470b97

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody3_mips.deb
      Size/MD5 checksum:  1035630 9b25dd3f06580549bfa93ee429605d0e

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody3_mipsel.deb
      Size/MD5 checksum:  1035864 740243a767cc1ff53f116d0e97aa66a7

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody3_powerpc.deb
      Size/MD5 checksum:  1009152 678b2fc28d01eac452d96f925d2d40b2

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody3_s390.deb
      Size/MD5 checksum:  1001666 c5a70add4dfa1cb3828d9892513d3c15

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody3_sparc.deb
      Size/MD5 checksum:  1003634 32490333505f1804e9fcf4a786fbc293

  These files will probably be moved into the stable distribution on
  its next revision.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: [E-mail:debian-security-announce@lists.debian.org]
Package info: 'apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFALZlDArxCt0PiXR4RAnwSAJ9Ca+rgs90zV39FpMLPrVQaP64WCwCfftPs
Cll8wYP1kjwXU1U/NJh7arE=
=YCPg
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [E-mail:debian-security-announce-request@lists.debian.org]
with a subject of "unsubscribe". Trouble? Contact [E-mail:listmaster@lists.debian.org]

Linux NewsThe world is talking about GNU/Linux and Free/Open Source Software