| Description: | Description:
The remote host is missing updates announced in
advisory FLSA-2006:185355.
Tavis Ormandy discovered a bug in the way GnuPG verifies
cryptographically signed data with detached signatures. It is possible
for an attacker to construct a cryptographically signed message which
could appear to come from a third party. When a victim processes a GnuPG
message with a malformed detached signature, GnuPG ignores the malformed
signature, processes and outputs the signed data, and exits with status
0, just as it would if the signature had been valid. In this case,
GnuPG's exit status would not indicate that no signature verification
had taken place. This issue would primarily be of concern when
processing GnuPG results via an automated script. The Common
Vulnerabilities and Exposures project assigned the name CVE-2006-0455 to
this issue.
Tavis Ormandy also discovered a bug in the way GnuPG verifies
cryptographically signed data with inline signatures. It is possible for
an attacker to inject unsigned data into a signed message in such a way
that when a victim processes the message to recover the data, the
unsigned data is output along with the signed data, gaining the
appearance of having been signed. The Common Vulnerabilities and
Exposures project assigned the name CVE-2006-0049 to this issue.
Please note that neither of these issues affect the way RPM or up2date
verify RPM package files, nor is RPM vulnerable to either of these
issues.
All users of GnuPG are advised to upgrade to this updated package, which
contains backported patches to correct these issues.
Affected platforms:
Redhat 7.3
Redhat 9
Fedora Core 1
Fedora Core 2
Fedora Core 3
Solution:
http://www.securityspace.com/smysecure/catid.html?in=FLSA-2006:185355
Risk factor : Medium
CVSS Score:
5.0
|
