Network Security Audits / Vulnerability Assessments by SecuritySpace

Vulnerability Search		Search 219043 CVE descriptions and 99761 test descriptions, access 10,000+ cross references.
	Tests CVE All

---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2006-1406
2006-12-06
---------------------------------------------------------------------

Product     : Fedora Core 6
Name        : gnupg
Version     : 1.4.6
Release     : 2
Summary     : A GNU utility for secure communication and data storage.
Description :
GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and
creating digital signatures. GnuPG has advanced key management
capabilities and is compliant with the proposed OpenPGP Internet
standard described in RFC2440. Since GnuPG doesn't use any patented
algorithm, it is not compatible with any version of PGP2 (PGP2.x uses
only IDEA for symmetric-key encryption, which is patented worldwide).

---------------------------------------------------------------------
Update Information:

This update upgrades GnuPG to version 1.4.6, incorporating
fixes for a potential buffer overflow (CVE-2006-6169) and
referencing of a stack variable after it passes out of scope
(CVE-2006-6235).
---------------------------------------------------------------------
* Wed Dec  6 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.6-2
- rebuild
* Wed Dec  6 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.6-1
- update to 1.4.6, incorporating fixes for CVE-2006-6169 and CVE-2006-6235
* Tue Dec  5 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.5-13
- apply the termlib patch again
* Tue Dec  5 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.5-12
- don't apply the non-security termlib patch
* Tue Dec  5 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.5-11
- rebuild
* Tue Dec  5 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.5-10
- incorporate patch from Werner to fix use of stack variable after it goes
  out of scope (CVE-2006-6235, #218483)
* Fri Dec  1 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.5-9
- rebuild
- give configure a --with-termlib option which can be used to force the
  selection of libtermcap or libncurses, but don't flip the switch yet
* Fri Dec  1 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.5-8
- rebuild
* Fri Dec  1 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.5-7
- rebuild
* Fri Dec  1 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.5-6
- add patch for overflow in openfile.c from Werner's mail
  (CVE-2006-6169, #218506)
* Tue Oct 31 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.5-5
- rebuild against current libcurl
* Fri Aug 18 2006 Jesse Keating <jkeating@redhat.com> - 1.4.5-4
- rebuilt with latest binutils to pick up 64K -z commonpagesize on ppc*
  (#203001)
* Tue Aug  1 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.5-3
- rebuild
* Tue Aug  1 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.5-2
- rebuild
- reenable curl support
* Tue Aug  1 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.5-1
- update to 1.4.5, fixing additional size overflows in packet parsing (#200904,
  CVE-2006-3746)
- temporarily disable curl support again
* Fri Jul 28 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.4.90-1
- update to 1.4.5rc1 to check for build problems, but mark it as 1.4.4.90
  to avoid looking "newer" than the eventual 1.4.5
- because we call aclocal, buildrequire gettext-devel to get AM_GNU_GETTEXT
* Thu Jul 20 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.4-7
- add BuildPrereq on curl-devel to get curl's ipv6 support (#198375)
* Wed Jul 12 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.4-6
- fix a cast in gpgkeys_hkp to avoid tripping stack smashing or buffer overflow
  detection (#198612)
* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 1.4.4-5.1
- rebuild
* Wed Jul  5 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.4-5
- try again using per-platform buildprereq (jkeating)
* Wed Jul  5 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.4-4
- buildprereq libusb-devel, so that we get CCID support back (#197450)
* Mon Jun 26 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.4-3
- rebuild
* Mon Jun 26 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.4-2
- rebuild
* Mon Jun 26 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.4-1
- update to 1.4.4
* Tue Jun 20 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.3-5
- rebuild
* Tue Jun 20 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.3-4
- add patch from upstream to fix CVE-2006-3082 (#195946)
* Tue Apr 11 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.3-3
- rebuild
* Tue Apr 11 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.3-2
- apply patch from David Shaw to try multiple defaults if the the photo-viewer
  option isn't set (fixes #187880)
* Fri Mar 10 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.3-1
- update to 1.4.3
* Fri Mar 10 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.2.2-2
- rebuild
* Fri Mar 10 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.2.2-1
- update to 1.4.2.2 to fix detection of unsigned data (CVE-2006-0049, #185111)
* Mon Feb 20 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.2.1-4
- rebuild
* Mon Feb 20 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.2.1-3
- add patch from David Shaw to fix error reading keyrings created with older
  versions of GnuPG (Enrico Scholz, #182163)
* Wed Feb 15 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.2.1-2
- rebuild
* Wed Feb 15 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.4.2.1-1
- update to 1.4.2.1 (fixes CVE-2006-0455)
* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1.4.2-3.2.1
- bump again for double-long bug on ppc(64)
* Tue Feb  7 2006 Jesse Keating <jkeating@redhat.com> - 1.4.2-3.2
- rebuilt for new gcc4.1 snapshot and glibc changes
* Fri Dec  9 2005 Jesse Keating <jkeating@redhat.com>
- rebuilt
* Tue Aug  9 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.2-3
- don't override libexecdir any more; we don't need to (#165462)
* Thu Aug  4 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.2-2
- pull in David Shaw's fix for key generation in batch mode
* Fri Jul 29 2005 Nalin Dahyabhai <nalin@redhat.com>
- change %post to check if the info files are there before attempting to
  add or remove them from the info index (#91641)
* Wed Jul 27 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.2-1
- update to 1.4.2
* Thu May  5 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.1-3
- fix the execstack problem correctly this time (arjanv)
* Thu Apr 28 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.1-2
- add -Wa,--noexecstack back to CFLAGS when invoking configure, the
  --enable-noexecstack flag only seems to affect asm modules
* Wed Mar 16 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.1-1
- update to 1.4.1
* Tue Mar  8 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.0-2
- build asm modules with -Wa,--noexecstack
* Mon Jan 24 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4.0-1
- comment out libusb-devel req for now so that we can build
- build the mpi asm modules with gcc, not a cpp/as setup so that we don't end
  up with text relocations in the resulting binaries (#145836)
* Wed Dec 22 2004 Nalin Dahyabhai <nalin@redhat.com>
- update to 1.4.0
* Mon Nov  1 2004 Nalin Dahyabhai <nalin@redhat.com>
- add a pile of buildprereq
* Mon Nov  1 2004 Robert Scheck <redhat@linuxnetz.de> 1.2.6-2
- set LANG=C before running shm coprocessing build-time check (#129873)
* Thu Aug 26 2004 Nalin Dahyabhai <nalin@redhat.com> 1.2.6-1
- update to 1.2.6
* Tue Jul 27 2004 Nalin Dahyabhai <nalin@redhat.com>
- update to 1.2.5
- reenable optimization on ppc64
* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Tue Mar  2 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Fri Feb  6 2004 Nalin Dahyabhai <nalin@redhat.com> 1.2.4-1
- update to 1.2.4, dropping separate ElGamal disabling patch
* Fri Dec 12 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.3-3
- rebuild
* Mon Dec  1 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.3-2
- incorporate patch from gnupg-announce which removes the ability to create
  ElGamal encrypt+sign keys or to sign messages with such keys
* Mon Oct 27 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.3-1
- use -fPIE instead of -fpie because some arches need it
* Mon Oct 27 2003 Nalin Dahyabhai <nalin@redhat.com>
- build gnupg as a position-independent executable (Arjan van de Ven)
* Mon Aug 25 2003 Nalin Dahyabhai <nalin@redhat.com>
- add Werner's key as a source file
* Fri Aug 22 2003 Nalin Dahyabhai <nalin@redhat.com>
- update to 1.2.3
* Thu Jun 19 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-3
- disable asm and optimization on ppc64
* Fri Jun 13 2003 Nalin Dahyabhai <nalin@redhat.com>
- add a build-time check to ensure that shm coprocessing was enabled
* Wed Jun  4 2003 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Mon May  5 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-1
- update to 1.2.2, fixing CAN-2003-0255
* Thu May  1 2003 Elliot Lee <sopwith@redhat.com> 1.2.1-5
- Add ppc64 patch to fix up global symbol names in assembly
* Fri Feb 28 2003 Kevin Sonney <ksonney@redhat.com> 1.2.1-4
- remove autoconf call on sparc
* Fri Feb  7 2003 Nalin Dahyabhai <nalin@redhat.com> 1.2.1-3
- modify g10defs to look for helpers in libexecdir, because that's where they
  get installed, per gnupg-users
- actually drop updates for 1.0.7 which are no longer needed for 1.2.1
* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
- rebuilt
* Mon Oct 28 2002 Nalin Dahyabhai <nalin@redhat.com> 1.2.1-1
- update to 1.2.1
* Tue Sep 24 2002 Nalin Dahyabhai <nalin@redhat.com> 1.2.0-1
- update to 1.2.0
- stop stripping files manually, let the buildroot policies handle it
- add translations updates ca and fr
* Tue Aug 27 2002 Nalin Dahyabhai <nalin@redhat.com> 1.0.7-6
- rebuild
* Wed Jul 24 2002 Nalin Dahyabhai <nalin@redhat.com> 1.0.7-5
- specify a menu entry when installing info pages
* Wed Jul 24 2002 Nalin Dahyabhai <nalin@redhat.com> 1.0.7-4
- add and install info pages (#67931)
- don't include two copies of the faq, add new doc files (#67931)
* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
- automated rebuild
* Sun May 26 2002 Tim Powers <timp@redhat.com>
- automated rebuild
* Tue Apr 30 2002 Nalin Dahyabhai <nalin@redhat.com> 1.0.7-1
- update to 1.0.7
* Fri Feb 22 2002 Nalin Dahyabhai <nalin@redhat.com> 1.0.6-5
- rebuild
* Wed Jan 23 2002 Nalin Dahyabhai <nalin@redhat.com> 1.0.6-4
- make the codeset patch unconditional
* Thu Aug  9 2001 Nalin Dahyabhai <nalin@redhat.com> 1.0.6-3
- set message output encoding to match the message encoding, based on a
  patch by goeran@uddeborg.pp.se (#49182)
* Sun Jun 24 2001 Elliot Lee <sopwith@redhat.com> 1.0.6-2
- Bump release + rebuild.
* Wed May 30 2001 Nalin Dahyabhai <nalin@redhat.com> 1.0.6-1
- update to 1.0.6, fixes format string exploit
* Mon Apr 30 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 1.0.5, dropping various patches
* Tue Feb 27 2001 Trond Eivind Glomsr�d <teg@redhat.com>
- langify
- strip binaries in /usr/lib/gnupg
* Tue Feb 27 2001 Nalin Dahyabhai <nalin@redhat.com>
- fix the group
* Mon Dec 18 2000 Nalin Dahyabhai <nalin@redhat.com>
- go with this version -- 1.0.4c includes a lot of changes beyond just the
  two security fixes
* Thu Dec 14 2000 Nalin Dahyabhai <nalin@redhat.com>
- add the --allow-secret-key-import patch from CVS in case we don't get a 1.0.5
* Fri Dec  8 2000 Nalin Dahyabhai <nalin@redhat.com>
- build as an errata for 7
* Fri Dec  1 2000 Nalin Dahyabhai <nalin@redhat.com>
- add a security patch for a problem with detached signature verification...
  might hold off for an impending 1.0.5, though
* Thu Oct 19 2000 Nalin Dahyabhai <nalin@redhat.com>
- fix a bug preventing creation of .gnupg directories
* Wed Oct 18 2000 Nalin Dahyabhai <nalin@redhat.com>
- add patch to recognize AES signatures properly (#19312)
- add gpgv to the package
* Tue Oct 17 2000 Nalin Dahyabhai <nalin@redhat.com>
- update to 1.0.4 to get security fix
* Tue Oct 10 2000 Nalin Dahyabhai <nalin@redhat.com>
- fix man page typos (#18797)
* Thu Sep 21 2000 Nalin Dahyabhai <nalin@redhat.com>
- update to 1.0.3
- switch to bundled copy of the man page
* Wed Aug 30 2000 Matt Wilson <msw@redhat.com>
- rebuild to cope with glibc locale binary incompatibility, again
* Wed Aug 16 2000 Nalin Dahyabhai <nalin@redhat.com>
- revert locale patch (#16222)
* Tue Aug 15 2000 Nalin Dahyabhai <nalin@redhat.com>
- set all locale data instead of LC_MESSAGES and LC_TIME (#16222)
* Sun Jul 23 2000 Nalin Dahyabhai <nalin@redhat.com>
- update to 1.0.2
* Wed Jul 19 2000 Jakub Jelinek <jakub@redhat.com>
- rebuild to cope with glibc locale binary incompatibility
* Thu Jul 13 2000 Prospector <bugzilla@redhat.com>
- automatic rebuild
* Wed Jul 12 2000 Nalin Dahyabhai <nalin@redhat.com>
- include lspgpot (#13772)
* Mon Jun  5 2000 Nalin Dahyabhai <nalin@redhat.com>
- rebuild in new build environment
* Fri Feb 18 2000 Bill Nottingham <notting@redhat.com>
- build of 1.0.1
* Fri Sep 10 1999 Cristian Gafton <gafton@redhat.com>
- version 1.0.0 build for 6.1us

---------------------------------------------------------------------
This update can be downloaded from:
    http://download.fedora.redhat.com/pub/fedora/linux/core/updates/6/

c626ce84e9d2dc39c863efbbdf879330d5fe74fb  SRPMS/gnupg-1.4.6-2.src.rpm
c626ce84e9d2dc39c863efbbdf879330d5fe74fb  noarch/gnupg-1.4.6-2.src.rpm
682cbd00aabbb225d748bdb237fde51b3ef25b06  ppc/gnupg-1.4.6-2.ppc.rpm
ebbeef080fff37991929bc6d727dad8dec0287dc  ppc/debug/gnupg-debuginfo-1.4.6-2.ppc.rpm
a8e6cfd56037a585d9d4f4a745e17be59bcab206  x86_64/gnupg-1.4.6-2.x86_64.rpm
786c668d1c45a02f73af311832e70d0cae81c738  x86_64/debug/gnupg-debuginfo-1.4.6-2.x86_64.rpm
1e442eca4432f340c53ccca22b620c009b8aae08  i386/gnupg-1.4.6-2.i386.rpm
e99717a999fb025e2d4635351a7618c51613b4f0  i386/debug/gnupg-debuginfo-1.4.6-2.i386.rpm

This update can be installed with the 'yum' update program.  Use 'yum update
package-name' at the command line.  For more information, refer to 'Managing
Software with yum,' available at http://fedora.redhat.com/docs/yum/.
---------------------------------------------------------------------