Red Hat Product Errata RHSA-2007:0106 - Security Advisory

Issued:: 2007-03-06
Updated:: 2007-03-06

RHSA-2007:0106 - Security Advisory

Overview
Updated Packages

Synopsis

Important: gnupg security update

Type/Severity

Security Advisory: Important

Topic

Updated GnuPG packages that fix a security issue are now available.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

Description

GnuPG is a utility for encrypting data and creating digital signatures.

Gerardo Richarte discovered that a number of applications that make use of
GnuPG are prone to a vulnerability involving incorrect verification of
signatures and encryption. An attacker could add arbitrary content to a
signed message in such a way that a receiver of the message would not be
able to distinguish between the properly signed parts of a message and the
forged, unsigned, parts. (CVE-2007-1263)

Whilst this is not a vulnerability in GnuPG itself, the GnuPG team have
produced a patch to protect against messages with multiple plaintext
packets. Users should update to these erratum packages which contain the
backported patch for this issue.

Red Hat would like to thank Core Security Technologies for reporting this
issue.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Affected Products

Red Hat Enterprise Linux Server 4 x86_64
Red Hat Enterprise Linux Server 4 ia64
Red Hat Enterprise Linux Server 4 i386
Red Hat Enterprise Linux Server 3 x86_64
Red Hat Enterprise Linux Server 3 ia64
Red Hat Enterprise Linux Server 3 i386
Red Hat Enterprise Linux Server 2 ia64
Red Hat Enterprise Linux Server 2 i386
Red Hat Enterprise Linux Workstation 4 x86_64
Red Hat Enterprise Linux Workstation 4 ia64
Red Hat Enterprise Linux Workstation 4 i386
Red Hat Enterprise Linux Workstation 3 x86_64
Red Hat Enterprise Linux Workstation 3 ia64
Red Hat Enterprise Linux Workstation 3 i386
Red Hat Enterprise Linux Workstation 2 ia64
Red Hat Enterprise Linux Workstation 2 i386
Red Hat Enterprise Linux Desktop 4 x86_64
Red Hat Enterprise Linux Desktop 4 i386
Red Hat Enterprise Linux Desktop 3 x86_64
Red Hat Enterprise Linux Desktop 3 i386
Red Hat Enterprise Linux for IBM z Systems 4 s390x
Red Hat Enterprise Linux for IBM z Systems 4 s390
Red Hat Enterprise Linux for IBM z Systems 3 s390x
Red Hat Enterprise Linux for IBM z Systems 3 s390
Red Hat Enterprise Linux for Power, big endian 4 ppc
Red Hat Enterprise Linux for Power, big endian 3 ppc

Fixes

BZ - 230456 - CVE-2007-1263 gnupg signed message spoofing

CVEs

CVE-2007-1263

References

http://www.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 4

SRPM
x86_64
gnupg-1.2.6-9.x86_64.rpm	SHA-256: 69d5996160ebfb6dbc37a919d9609bb7845f8639b0b321cba84972a9f1558256
gnupg-1.2.6-9.x86_64.rpm	SHA-256: 69d5996160ebfb6dbc37a919d9609bb7845f8639b0b321cba84972a9f1558256
ia64
gnupg-1.2.6-9.ia64.rpm	SHA-256: a7316f0bf99d09bf7976095472b11b21b9b6a483cfc8cd2ff55b899c435ddbb3
gnupg-1.2.6-9.ia64.rpm	SHA-256: a7316f0bf99d09bf7976095472b11b21b9b6a483cfc8cd2ff55b899c435ddbb3
i386
gnupg-1.2.6-9.i386.rpm	SHA-256: 4c40d2076c9afe365807579d79fb317dea01ec89a8ba3cd3a6dab4a108c28289
gnupg-1.2.6-9.i386.rpm	SHA-256: 4c40d2076c9afe365807579d79fb317dea01ec89a8ba3cd3a6dab4a108c28289

Red Hat Enterprise Linux Workstation 4

SRPM
x86_64
gnupg-1.2.6-9.x86_64.rpm	SHA-256: 69d5996160ebfb6dbc37a919d9609bb7845f8639b0b321cba84972a9f1558256
ia64
gnupg-1.2.6-9.ia64.rpm	SHA-256: a7316f0bf99d09bf7976095472b11b21b9b6a483cfc8cd2ff55b899c435ddbb3
i386
gnupg-1.2.6-9.i386.rpm	SHA-256: 4c40d2076c9afe365807579d79fb317dea01ec89a8ba3cd3a6dab4a108c28289

Red Hat Enterprise Linux Desktop 4

SRPM
x86_64
gnupg-1.2.6-9.x86_64.rpm	SHA-256: 69d5996160ebfb6dbc37a919d9609bb7845f8639b0b321cba84972a9f1558256
i386
gnupg-1.2.6-9.i386.rpm	SHA-256: 4c40d2076c9afe365807579d79fb317dea01ec89a8ba3cd3a6dab4a108c28289

Red Hat Enterprise Linux for IBM z Systems 4

SRPM
s390x
gnupg-1.2.6-9.s390x.rpm	SHA-256: 228080ca47685a7ebeb90dcda7d3bd0c524976bbc95b5d3a7e63c45a95d6ffd1
s390
gnupg-1.2.6-9.s390.rpm	SHA-256: d30144477020d96d95175ad92360ed5d4c6800dd16dc26742b3d6aa4a68b5010

Red Hat Enterprise Linux for Power, big endian 4

SRPM
ppc
gnupg-1.2.6-9.ppc.rpm	SHA-256: 99e7aac6bb47ba0949ac9a55b6965d53468e1118a606e4d4cea98210dbeacb76

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories