Vulnerability   
Search   
    Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.56382
Category:Red Hat Local Security Checks
Title:RedHat Security Advisory RHSA-2006:0266
Summary:NOSUMMARY
Description:Description:

The remote host is missing updates announced in
advisory RHSA-2006:0266.

GnuPG is a utility for encrypting data and creating digital signatures.

Tavis Ormandy discovered a bug in the way GnuPG verifies cryptographically
signed data with detached signatures. It is possible for an attacker to
construct a cryptographically signed message which could appear to come
from a third party. When a victim processes a GnuPG message with a
malformed detached signature, GnuPG ignores the malformed signature,
processes and outputs the signed data, and exits with status 0, just as it
would if the signature had been valid. In this case, GnuPG's exit status
would not indicate that no signature verification had taken place. This
issue would primarily be of concern when processing GnuPG results via an
automated script. The Common Vulnerabilities and Exposures project assigned
the name CVE-2006-0455 to this issue.

Tavis Ormandy also discovered a bug in the way GnuPG verifies
cryptographically signed data with inline signatures. It is possible for an
attacker to inject unsigned data into a signed message in such a way that
when a victim processes the message to recover the data, the unsigned data
is output along with the signed data, gaining the appearance of having been
signed. This issue is mitigated in the GnuPG shipped with Red Hat
Enterprise Linux as the --ignore-crc-error option must be passed to the gpg
executable for this attack to be successful. The Common Vulnerabilities and
Exposures project assigned the name CVE-2006-0049 to this issue.

Please note that neither of these issues affect the way RPM or up2date
verify RPM package files, nor is RPM vulnerable to either of these issues.

All users of GnuPG are advised to upgrade to this updated package, which
contains backported patches to correct these issues.

Solution:
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date

http://rhn.redhat.com/errata/RHSA-2006-0266.html

Risk factor : Medium

CVSS Score:
5.0

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2006-0049
BugTraq ID: 17058
http://www.securityfocus.com/bid/17058
Bugtraq: 20060309 GnuPG does not detect injection of unsigned data (Google Search)
http://www.securityfocus.com/archive/1/427324/100/0/threaded
Debian Security Information: DSA-993 (Google Search)
http://www.debian.org/security/2006/dsa-993
http://www.redhat.com/archives/fedora-announce-list/2006-March/msg00021.html
http://www.securityfocus.com/archive/1/433931/100/0/threaded
http://www.gentoo.org/security/en/glsa/glsa-200603-08.xml
http://www.mandriva.com/security/advisories?name=MDKSA-2006:055
http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000216.html
http://www.osvdb.org/23790
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10063
http://www.redhat.com/support/errata/RHSA-2006-0266.html
http://securitytracker.com/id?1015749
http://secunia.com/advisories/19173
http://secunia.com/advisories/19197
http://secunia.com/advisories/19203
http://secunia.com/advisories/19231
http://secunia.com/advisories/19232
http://secunia.com/advisories/19234
http://secunia.com/advisories/19244
http://secunia.com/advisories/19249
http://secunia.com/advisories/19287
http://secunia.com/advisories/19532
SGI Security Advisory: 20060401-01-U
ftp://patches.sgi.com/support/free/security/advisories/20060401-01-U
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.476477
http://securityreason.com/securityalert/450
http://securityreason.com/securityalert/568
SuSE Security Announcement: SUSE-SA:2006:014 (Google Search)
http://lists.suse.de/archive/suse-security-announce/2006-Mar/0003.html
http://www.trustix.org/errata/2006/0014
https://usn.ubuntu.com/264-1/
http://www.vupen.com/english/advisories/2006/0915
XForce ISS Database: gnupg-nondetached-sig-verification(25184)
https://exchange.xforce.ibmcloud.com/vulnerabilities/25184
Common Vulnerability Exposure (CVE) ID: CVE-2006-0455
BugTraq ID: 16663
http://www.securityfocus.com/bid/16663
Bugtraq: 20060215 False positive signature verification in GnuPG (Google Search)
http://www.securityfocus.com/archive/1/425289/100/0/threaded
Debian Security Information: DSA-978 (Google Search)
http://www.us.debian.org/security/2006/dsa-978
http://fedoranews.org/updates/FEDORA-2006-116.shtml
http://www.gentoo.org/security/en/glsa/glsa-200602-10.xml
http://www.mandriva.com/security/advisories?name=MDKSA-2006:043
http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000211.html
http://marc.info/?l=gnupg-devel&m=113999098729114&w=2
http://www.openpkg.org/security/OpenPKG-SA-2006.001-gnupg.html
http://www.osvdb.org/23221
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10084
http://secunia.com/advisories/18845
http://secunia.com/advisories/18933
http://secunia.com/advisories/18934
http://secunia.com/advisories/18942
http://secunia.com/advisories/18955
http://secunia.com/advisories/18956
http://secunia.com/advisories/18968
http://secunia.com/advisories/19130
SuSE Security Announcement: SUSE-SA:2006:009 (Google Search)
http://www.novell.com/linux/security/advisories/2006_09_gpg.html
SuSE Security Announcement: SUSE-SA:2006:013 (Google Search)
http://www.novell.com/linux/security/advisories/2006_13_gpg.html
SuSE Security Announcement: SUSE-SR:2006:005 (Google Search)
http://www.novell.com/linux/security/advisories/2006_05_sr.html
http://www.trustix.org/errata/2006/0008
http://www.ubuntu.com/usn/usn-252-1
http://www.vupen.com/english/advisories/2006/0610
XForce ISS Database: gnupg-gpgv-improper-verification(24744)
https://exchange.xforce.ibmcloud.com/vulnerabilities/24744
CopyrightCopyright (c) 2006 E-Soft Inc. http://www.securityspace.com

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2021 E-Soft Inc. All rights reserved.