Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2006.0450 -- [Debian] New GnuPG packages fix denial of service 11 July 2006 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: gnupg Publisher: Debian Operating System: Debian GNU/Linux 3.1 Debian GNU/Linux 3.0 Impact: Execute Arbitrary Code/Commands Denial of Service Access: Remote/Unauthenticated CVE Names: CVE-2006-3082 Ref: ESB-2006.0431 Original Bulletin: http://www.debian.org/security/2006/dsa-1107 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------------- Debian Security Advisory DSA 1107-1 security@debian.org http://www.debian.org/security/ Martin Schulze July 10th, 2006 http://www.debian.org/security/faq - - -------------------------------------------------------------------------- Package : gnupg Vulnerability : integer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2006-3082 Evgeny Legerov discovered that gnupg, the GNU privacy guard, a free PGP replacement contains an integer overflow that can cause a segmentation fault and possibly overwrite memory via a large user ID strings. For the old stable distribution (woody) this problem has been fixed in version 1.0.6-4woody6. For the stable distribution (sarge) this problem has been fixed in version 1.4.1-1.sarge4. For the unstable distribution (sid) this problem has been fixed in version 1.4.3-2. We recommend that you upgrade your gnupg package. Upgrade Instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6.dsc Size/MD5 checksum: 577 40a60f7ff8a7c36e4ffb308caa350e70 http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6.diff.gz Size/MD5 checksum: 8597 add04b0a8c391de7134cca7c943d15d9 http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6.orig.tar.gz Size/MD5 checksum: 1941676 7c319a9e5e70ad9bc3bf0d7b5008a508 Alpha architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6_alpha.deb Size/MD5 checksum: 1151184 3c46ca0e7a42f819619ba2a021a38eb9 ARM architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6_arm.deb Size/MD5 checksum: 987554 843109424859d6a1006898419d6d642e Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6_i386.deb Size/MD5 checksum: 966904 8ffd681040a2d466389f058e25ae29ae Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6_ia64.deb Size/MD5 checksum: 1272488 5dcf85dd73bd2015438fd995a16762e5 HP Precision architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6_hppa.deb Size/MD5 checksum: 1060316 22496f4150fd2334f7504deff0c474a1 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6_m68k.deb Size/MD5 checksum: 942994 bc7eede5abdcbe721ff81a5e242ebfb6 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6_mips.deb Size/MD5 checksum: 1036510 5e5824568a6a4b50851513c27db5a139 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6_mipsel.deb Size/MD5 checksum: 1036966 792c1f9b0f61349001a789b08bf862d8 PowerPC architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6_powerpc.deb Size/MD5 checksum: 1010208 6f1b3a058b7afab16a35ccba4d6b107e IBM S/390 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6_s390.deb Size/MD5 checksum: 1002808 80b5ca38f239a23c8e2119b39966279b Sun Sparc architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody6_sparc.deb Size/MD5 checksum: 1003856 aa89804a111cdbede9845a8eb179f9d2 Debian GNU/Linux 3.1 alias sarge - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge4.dsc Size/MD5 checksum: 680 006a79b9793ba193aa227850c11984dd http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge4.diff.gz Size/MD5 checksum: 20197 488b0289778532beb0608b8dca7982a7 http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1.orig.tar.gz Size/MD5 checksum: 4059170 1cc77c6943baaa711222e954bbd785e5 Alpha architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge4_alpha.deb Size/MD5 checksum: 2155794 cb1d024d2cae8c132bafe3422a2d1b3e AMD64 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge4_amd64.deb Size/MD5 checksum: 1963478 d0d3432b4b5968d2f837414b4202afe9 ARM architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge4_arm.deb Size/MD5 checksum: 1899338 b670611700f39489ea99517eb50678a9 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge4_i386.deb Size/MD5 checksum: 1908580 0f8623e8b3a59e9c8101fa2f7c23f576 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge4_ia64.deb Size/MD5 checksum: 2325178 fb8ba4735f0769f7c21e974321bd7c89 HP Precision architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge4_hppa.deb Size/MD5 checksum: 2003982 14149a1cee79407a1f99e5ae340dd501 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge4_m68k.deb Size/MD5 checksum: 1811020 dc751374cc6f994782e7de9ed5fd77ea Big endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge4_mips.deb Size/MD5 checksum: 2000688 0d44abe0cc416c06d63699a6c77b232d Little endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge4_mipsel.deb Size/MD5 checksum: 2007524 e59ad95cf552d2a4cb31a11b4db50147 PowerPC architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge4_powerpc.deb Size/MD5 checksum: 1957934 62443926a7a4fe049e62a8515a0ecb27 IBM S/390 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge4_s390.deb Size/MD5 checksum: 1967012 a6b8d7173799fc57e46456a305f97d78 Sun Sparc architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge4_sparc.deb Size/MD5 checksum: 1897410 6f793e910bb6a793c96c875059626914 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEsk6lW5ql+IAeqTIRAtZ/AKCDGDZiFFPEC9Ur6q1Scb/NBXS6SACgj+Qb 2u+tl5LGg3pSDwiDgpZ/QpI= =OGgG - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRLL9Rih9+71yA2DNAQJbaQP/e1xkDLy8XCjXCiQh1qIJgG43+L5zNilO jAw4iJEOMaJd8xH1k5fR/zHwMP5tMJE+9R4ZbhkNUyZ8YXFHNwRCtbdgxHvUH8w2 gAWX9u4DPzSHV50XuOIhMANQONa8XrFP+fQtfPEG3sG4lJ9eSJ/gSSLhMCqxVLud 7vu9r345cTE= =cBvT -----END PGP SIGNATURE-----