Test ID:	1.3.6.1.4.1.25623.1.0.56384
Category:	Fedora Local Security Checks
Title:	Fedora Core 4 FEDORA-2006-147 (gnupg)
Summary:	NOSUMMARY
Description:	Description: The remote host is missing an update to gnupg announced via advisory FEDORA-2006-147. GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and creating digital signatures. GnuPG has advanced key management capabilities and is compliant with the proposed OpenPGP Internet standard described in RFC2440. Since GnuPG doesn't use any patented algorithm, it is not compatible with any version of PGP2 (PGP2.x uses only IDEA for symmetric-key encryption, which is patented worldwide). Update Information: Tavis Ormandy discovered a flaw in the way GnuPG verifies cryptographically signed data with inline signatures. It is possible for an attacker to add unsigned text to a signed message in such a way so that when the signed text is extracted, the unsigned text is extracted as well, appearing as if it had been signed. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0049 to this issue. * Fri Mar 10 2006 Nalin Dahyabhai - 1.4.2.2-1 - update to 1.4.2.2 to fix detection of unsigned data (CVE-2006-0049, #184557) Solution: Apply the appropriate updates. This update can be downloaded from: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/ This update can be installed with the 'yum' update program. Use 'yum update package-name' at the command line. For more information, refer to 'Managing Software with yum,' available at http://fedora.redhat.com/docs/yum/. http://www.securityspace.com/smysecure/catid.html?in=FEDORA-2006-147 Risk factor : Medium CVSS Score: 5.0
Cross-Ref:	BugTraq ID: 17058 Common Vulnerability Exposure (CVE) ID: CVE-2006-0049 http://www.securityfocus.com/bid/17058 Bugtraq: 20060309 GnuPG does not detect injection of unsigned data (Google Search) http://www.securityfocus.com/archive/1/427324/100/0/threaded Debian Security Information: DSA-993 (Google Search) http://www.debian.org/security/2006/dsa-993 http://www.redhat.com/archives/fedora-announce-list/2006-March/msg00021.html http://www.securityfocus.com/archive/1/433931/100/0/threaded http://www.gentoo.org/security/en/glsa/glsa-200603-08.xml http://www.mandriva.com/security/advisories?name=MDKSA-2006:055 http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000216.html http://www.osvdb.org/23790 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10063 http://www.redhat.com/support/errata/RHSA-2006-0266.html http://securitytracker.com/id?1015749 http://secunia.com/advisories/19173 http://secunia.com/advisories/19197 http://secunia.com/advisories/19203 http://secunia.com/advisories/19231 http://secunia.com/advisories/19232 http://secunia.com/advisories/19234 http://secunia.com/advisories/19244 http://secunia.com/advisories/19249 http://secunia.com/advisories/19287 http://secunia.com/advisories/19532 SGI Security Advisory: 20060401-01-U ftp://patches.sgi.com/support/free/security/advisories/20060401-01-U http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.476477 http://securityreason.com/securityalert/450 http://securityreason.com/securityalert/568 SuSE Security Announcement: SUSE-SA:2006:014 (Google Search) http://lists.suse.de/archive/suse-security-announce/2006-Mar/0003.html http://www.trustix.org/errata/2006/0014 https://usn.ubuntu.com/264-1/ http://www.vupen.com/english/advisories/2006/0915 XForce ISS Database: gnupg-nondetached-sig-verification(25184) https://exchange.xforce.ibmcloud.com/vulnerabilities/25184
Copyright	Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.