Network Security Audits / Vulnerability Assessments by SecuritySpace

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

--------------------------------------------------------------------------
   Turbolinux Security Advisory TLSA-2003-68
   http://www.turbolinux.co.jp/security/
                                             security-team@turbolinux.co.jp
--------------------------------------------------------------------------

Original released date : 17 Dec 2003
Last revised           : 17 Dec 2003

Package : gnupg

Summary : GnuPG's ElGamal signing keys compromised

More information :
    GnuPG is a complete and free replacement for PGP. Because it does not
    use IDEA or RSA it can be used without any restrictions. GnuPG is in
    compliance with the OpenPGP specification (RFC2440).
    Phong Nguyen identified a severe bug in the way GnuPG creates and uses
    ElGamal keys for signing.  This is a significant security failure
    which can lead to a compromise of almost all ElGamal keys used for
    signing.  Note that this is a real world vulnerability which will
    reveal your private key within a few seconds.

Impact :
    This vulnerability may allow attackers to determine the private key from a signature.

Affected Products :
    - Turbolinux 10 Desktop
    - Turbolinux 8 Server
    - Turbolinux 8 Workstation
    - Turbolinux 7 Server
    - Turbolinux 7 Workstation
    - Turbolinux Server 6.5
    - Turbolinux Server 6.1
    - Turbolinux Workstation 6.0

Solution :
    Please use turbopkg(zabom) tool to apply the update.
---------------------------------------------
# turbopkg
or
   zabom-1.x
# zabom update gnupg
   zabom-2.x
# zabom -u gnupg
---------------------------------------------

<Turbolinux 10 Desktop>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/gnupg-1.2.3-2.src.rpm
      3314781 4996b1e2267642d2d69d4f514cf4cad7

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/gnupg-1.2.3-2.i586.rpm
      1129596 5fd712d1411be94acc23d49f24048df7

<Turbolinux 8 Server>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/gnupg-1.0.7-4.src.rpm
      2409951 59104e12eb97ac80f0a4c9d842dfdc20

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/gnupg-1.0.7-4.i586.rpm
       885453 72a565e99ff48f8756144b8966432d8e

<Turbolinux 8 Workstation>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/gnupg-1.0.7-4.src.rpm
      2409951 883d8e4123edbdfc87be8cd31e58e22b

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/gnupg-1.0.7-4.i586.rpm
       884696 6299e615d670554116f03a57a77534f9

<Turbolinux 7 Server>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/gnupg-1.0.7-4.src.rpm
      2409951 174e7eadc938bf7deccb56deba74588d

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/gnupg-1.0.7-4.i586.rpm
       863174 eb706737ef71616bbd5e6bc5bc73a8c0

<Turbolinux 7 Workstation>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/gnupg-1.0.7-4.src.rpm
      2409951 cde1432e30a483ddffcbde6d61a5d0cf

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/gnupg-1.0.7-4.i586.rpm
       862981 82bd0c1c5890c1fea6a7b18fe508320d

<Turbolinux Server 6.5>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/SRPMS/gnupg-1.0.7-4.src.rpm
      2409951 69e46577d72aed27f3c795647a53bb9b

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/gnupg-1.0.7-4.i386.rpm
      1170666 447865f5363d62abf8e5c6d8570fdb0e

<Turbolinux Server 6.1>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/SRPMS/gnupg-1.0.7-4.src.rpm
      2409951 2fb777b54219241b3a33c6a819bc9ca7

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/gnupg-1.0.7-4.i386.rpm
      1170653 c893158b981769a827df840decf771f1

<Turbolinux Workstation 6.0>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/SRPMS/gnupg-1.0.7-4.src.rpm
      2409951 62b1e2c02457959368139e9d4ec3275e

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/gnupg-1.0.7-4.i386.rpm
      1166583 79095cf116744d1da99fbf2607134bd9

References :

[Announce] GnuPG's ElGamal signing keys compromised
   http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html

CVE
   [CAN-2003-0971]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0971

--------------------------------------------------------------------------
Revision History
    17 Dec 2003 Initial release
--------------------------------------------------------------------------

Copyright(C) 2003 Turbolinux, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/39bhK0LzjOqIJMwRAq7jAJ42yW60xhLP4nUa13DUKBCFBicWZwCcDVtm
rm0ymZIAzns7LNrgDKbPk6Y=
=dIX3
-----END PGP SIGNATURE-----