Test ID:	1.3.6.1.4.1.25623.1.0.56301
Category:	Ubuntu Local Security Checks
Title:	Ubuntu USN-252-1 (gnupg)
Summary:	Ubuntu USN-252-1 (gnupg)
Description:	The remote host is missing an update to gnupg announced via advisory USN-252-1. A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: gnupg Tavis Ormandy discovered a potential weakness in the signature verification of gnupg. gpgv and gpg --verify returned a successful exit code even if the checked file did not have any signature at all. The recommended way of checking the result is to evaluate the status messages, but some third party applications might just check the exit code for determining whether or not a signature is valid. These applications could be tricked into erroneously reporting a valid signature. Please note that this does not affect the Ubuntu package signature checks. Solution: The problem can be corrected by upgrading the affected package to version 1.2.4-4ubuntu2.2 (for ubuntu 4.10), 1.2.5-3ubuntu5.2 (for Ubuntu 5.04), or 1.4.1-1ubuntu1.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. http://www.securityspace.com/smysecure/catid.html?in=USN-252-1 Risk factor : Medium
Cross-Ref:	BugTraq ID: 16663 Common Vulnerability Exposure (CVE) ID: CVE-2006-0455 Bugtraq: 20060215 False positive signature verification in GnuPG (Google Search) http://www.securityfocus.com/archive/1/archive/1/425289/100/0/threaded http://marc.theaimsgroup.com/?l=gnupg-devel&m=113999098729114&w=2 http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000211.html Debian Security Information: DSA-978 (Google Search) http://www.us.debian.org/security/2006/dsa-978 http://fedoranews.org/updates/FEDORA-2006-116.shtml http://www.securityfocus.com/archive/1/archive/1/433931/100/0/threaded http://www.gentoo.org/security/en/glsa/glsa-200602-10.xml http://www.mandriva.com/security/advisories?name=MDKSA-2006:043 http://www.openpkg.org/security/OpenPKG-SA-2006.001-gnupg.html http://www.redhat.com/support/errata/RHSA-2006-0266.html SGI Security Advisory: 20060401-01-U ftp://patches.sgi.com/support/free/security/advisories/20060401-01-U http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.476477 SuSE Security Announcement: SUSE-SA:2006:009 (Google Search) http://www.novell.com/linux/security/advisories/2006_09_gpg.html SuSE Security Announcement: SUSE-SR:2006:005 (Google Search) http://www.novell.com/linux/security/advisories/2006_05_sr.html SuSE Security Announcement: SUSE-SA:2006:013 (Google Search) http://www.novell.com/linux/security/advisories/2006_13_gpg.html http://www.trustix.org/errata/2006/0008 http://www.ubuntu.com/usn/usn-252-1 http://www.securityfocus.com/bid/16663 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10084 http://www.vupen.com/english/advisories/2006/0610 http://www.osvdb.org/23221 http://secunia.com/advisories/18845 http://secunia.com/advisories/18934 http://secunia.com/advisories/18933 http://secunia.com/advisories/18942 http://secunia.com/advisories/18955 http://secunia.com/advisories/18956 http://secunia.com/advisories/18968 http://secunia.com/advisories/19130 http://secunia.com/advisories/19249 http://secunia.com/advisories/19532 XForce ISS Database: gnupg-gpgv-improper-verification(24744) http://xforce.iss.net/xforce/xfdb/24744
Copyright	Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com

This is only one of 32582 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.

New User Registration Email: UserID: Passwd: Please email me your monthly newsletters, informing the latest services, improvements & surveys. Please email me a vulnerability test announcement whenever a new test is added.     Privacy

Registered User Login   UserID:     Passwd:     Forgot userid or passwd? Email/Userid: