Test ID:	1.3.6.1.4.1.25623.1.0.56321
Category:	SuSE Local Security Checks
Title:	SuSE Security Advisory SUSE-SA:2006:009 (gpg,liby2util)
Summary:	NOSUMMARY
Description:	Description: The remote host is missing updates announced in advisory SUSE-SA:2006:009. With certain handcraftable signatures GPG was returning a 0 (valid signature) when used on command-line with option --verify. This only affects GPG version 1.4.x, so it only affects SUSE Linux 9.3 and 10.0. Other SUSE Linux versions are not affected. This could make automated checkers, like for instance the patch file verification checker of the YaST Online Update, pass malicious patch files as correct. This is tracked by the Mitre CVE ID CVE-2006-0455. Also, the YaST Online Update script signature verification had used a feature which was lost in gpg 1.4.x, making it possible to supply any kind of script which would be thought correct. This would also allow code execution. Both attacks require an attacker either manipulating a YaST Online Update mirror or manipulating the network traffic between the mirror and your machine. Solution: Update your system with the packages as indicated in the referenced security advisory. http://www.securityspace.com/smysecure/catid.html?in=SUSE-SA:2006:009 Risk factor : Medium CVSS Score: 4.6
Cross-Ref:	BugTraq ID: 16663 Common Vulnerability Exposure (CVE) ID: CVE-2006-0455 16663 http://www.securityfocus.com/bid/16663 18845 http://secunia.com/advisories/18845 18933 http://secunia.com/advisories/18933 18934 http://secunia.com/advisories/18934 18942 http://secunia.com/advisories/18942 18955 http://secunia.com/advisories/18955 18956 http://secunia.com/advisories/18956 18968 http://secunia.com/advisories/18968 19130 http://secunia.com/advisories/19130 19249 http://secunia.com/advisories/19249 19532 http://secunia.com/advisories/19532 2006-0008 http://www.trustix.org/errata/2006/0008 20060215 False positive signature verification in GnuPG http://www.securityfocus.com/archive/1/425289/100/0/threaded 20060401-01-U ftp://patches.sgi.com/support/free/security/advisories/20060401-01-U 23221 http://www.osvdb.org/23221 ADV-2006-0610 http://www.vupen.com/english/advisories/2006/0610 DSA-978 http://www.us.debian.org/security/2006/dsa-978 FEDORA-2006-116 http://fedoranews.org/updates/FEDORA-2006-116.shtml FLSA-2006:185355 http://www.securityfocus.com/archive/1/433931/100/0/threaded GLSA-200602-10 http://www.gentoo.org/security/en/glsa/glsa-200602-10.xml MDKSA-2006:043 http://www.mandriva.com/security/advisories?name=MDKSA-2006:043 OpenPKG-SA-2006.001 http://www.openpkg.org/security/OpenPKG-SA-2006.001-gnupg.html RHSA-2006:0266 http://www.redhat.com/support/errata/RHSA-2006-0266.html SSA:2006-072-02 http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.476477 SUSE-SA:2006:009 http://www.novell.com/linux/security/advisories/2006_09_gpg.html SUSE-SA:2006:013 http://www.novell.com/linux/security/advisories/2006_13_gpg.html SUSE-SR:2006:005 http://www.novell.com/linux/security/advisories/2006_05_sr.html USN-252-1 http://www.ubuntu.com/usn/usn-252-1 [gnupg-announce] 20060215 False positive signature verification in GnuPG http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000211.html [gnupg-devel] 20060215 [Announce] False positive signature verification in GnuPG http://marc.info/?l=gnupg-devel&m=113999098729114&w=2 gnupg-gpgv-improper-verification(24744) https://exchange.xforce.ibmcloud.com/vulnerabilities/24744 oval:org.mitre.oval:def:10084 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10084
Copyright	Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.