-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0187
                        parcimonie security update
                             12 February 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           parcimonie
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   Linux variants
Impact/Access:     Reduced Security -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-1921  

Original Bulletin: 
   http://www.debian.org/security/2014/dsa-2860

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running parcimonie check for an updated version of the software for
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2860-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
February 11, 2014                      http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : parcimonie
Vulnerability  : information disclosure
CVE ID         : CVE-2014-1921
Debian Bug     : 738134

Holger Levsen discovered that parcimonie, a privacy-friendly helper to
refresh a GnuPG keyring, is affected by a design problem that undermines
the usefulness of this piece of software in the intended threat model.

When using parcimonie with a large keyring (1000 public keys or more),
it would always sleep exactly ten minutes between two key fetches. This
can probably be used by an adversary who can watch enough key fetches to
correlate multiple key fetches with each other, which is what parcimonie
aims at protecting against. Smaller keyrings are affected to a smaller
degree. This problem is slightly mitigated when using a HKP(s) pool as
the configured GnuPG keyserver.

For the stable distribution (wheezy), this problem has been fixed in
version 0.7.1-1+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 0.8.1-1.

We recommend that you upgrade your parcimonie packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJS+o1qAAoJEAVMuPMTQ89ETXcQAJEdl0FJxcIn9/da5PrFYSav
b4dJ4OfCWWGdhiLh/REuSeDFUvjQJrgWF/2LaEi6Hz22r9W8K3mZc8ZMnJgvcudn
uqS1Z6LUI3Y4xwfh+mdpG5FbdXX4xxzB5EJ1I7+4hXo2YiqtUNAbsZJqzh5gkF2/
cd+RMoOHG7yGMx9jmc3c766hN8c9+wK2Nad2Y7WyRC6l4AWSg5pqWfjMcYh0GXc9
ANQPzS3b+ajJd2RNtTNM05rShq0ic1BJ4RZJjfWthzCWj/3tkYjiLxPrUpuUYqa9
5n6Xq8Jt+EWhCv7P7R0R+VVhX11Ywt5JyjJwTbF6DWrjqwLIc+4jHb3Ww44FZMgK
+ODCq6zU3PsIC/HCqfk6YhCa/2MeO++mtCYBVdu6Px2IE5cFe8/ubH2j2rxusyX7
m0ZWopXvLIJgXzTyDwH5M1c0N2wUkLlhywi33z8ySk0yqZnM0rtiAIvGsBsBkoNx
DjOJfRSJAmmIGf+7iP+QcsK/ULgt8rvNR2s2OZOmvRoe+Qsp56wYpazDYkSize1f
a/PNMA5i9tEWXAm2dL/j/Lg8hL+txxPnluYAyzm2galn/hne/oUlivOW9T/RP4e8
8QOoTyurEukp1/z1SHRMj0bkG2W1ICOnoij8J4NPzdtJ+trMj1ZlMZAbT53X3HEO
iqolODfCHkE/z33xBdeX
=aX8i
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUvrM+BLndAQH1ShLAQI0bRAAp4KIb/zEzdh7VC6SR9B251gFDP7h54FO
RVrNtoxWiiyDY5gy9/2RFfCrgZkxLiA49BzsS7zYQwWHyiX47Xb+KLDKmDbEMPsw
1/1ugA3GEhutyCegezLO8eHN9DL6tI+LNbX4htl303aciHZ3yY3/sfSX32OCQX6V
qaedx9+eTbPByiFJBfmham1P16SpziidtZZDyh1fNhIZ1FdCfg3uiM35EciqeT+M
u7Bm6w3U5J4awbzCmvDqF+s79JrEd3sPcZE/oummiVTSeVk7UT6k13NkmHyiHArZ
5ei0sqkT5B2QGttccsz6Cxq7wqpm3+9CJmY0I/p+AlUpsQsQCZ5UJM2cHgLIkS92
W/tbtLR0ko33bJVyCxwSKanC9V7B6qZH2Zyf275DjCG8TDAAjsL5hVnJOCz4/w4c
Rk8wgMJdCaZbTQYaph+3DcFwe6ePJ62YKtN2ziptVUNYcQ1YrEpiVztiCD2FyjYb
mqynDSacPEihVU5ly4bNg7OFJiz9DjjWyQOvWslwxzcINkb8gaEg8ijyYFkiiWTj
aY6W4lmSa50dIfbgITtRp8/qEZwgJfOtpSxDtP7UbmXazrrnte5iT+rc8I/Ff57h
71LPyjkb4u8szJ1rixYKmCK7x87kAdAlkgrX2NEGUpRCOTt8Oab9sehCsJUa56Sm
aDwrDE11lac=
=lyfT
-----END PGP SIGNATURE-----