Debian Bug report logs -
#413922
SECURITY: multiple message problem
Reported by: Jose Carlos Garcia Sogo <jsogo@debian.org>
Date: Wed, 7 Mar 2007 22:36:01 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version gnupg/1.4.6-1
Fixed in version 1.4.6-2
Done: Andreas Barth <aba@not.so.argh.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, James Troup <james@nocrew.org>
:
Bug#413922
; Package gnupg
.
(full text, mbox, link).
Acknowledgement sent to Jose Carlos Garcia Sogo <jsogo@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, James Troup <james@nocrew.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: gnupg
Version: 1.4.6-1
Severity: grave
Tags: security patch
Justification: user security hole
Hi,
There has been an announcement[1] about a possible security hole in
GnupG related to multiple messages, and new releases[2] of both GnuPG
and GpgME. There are a patch available for this problem[3]
[1] http://lists.gnupg.org/pipermail/gnupg-announce/2007q1/000251.html
[2] http://lists.gnupg.org/pipermail/gnupg-devel/2007-March/023686.html
[3] ftp://ftp.gnupg.org/gcrypt/gnupg/patches/gnupg-1.4.6-multiple-message.patch
Thanks
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-1-686
Locale: LANG=es_ES.UTF-8@euro, LC_CTYPE=es_ES.UTF-8@euro (charmap=UTF-8)
Versions of packages gnupg depends on:
ii gpgv 1.4.6-1 GNU privacy guard - signature veri
ii libbz2-1.0 1.0.3-6 high-quality block-sorting file co
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
ii libldap2 2.1.30-13.3 OpenLDAP libraries
ii libreadline5 5.2-2 GNU readline and history libraries
ii libusb-0.1-4 2:0.1.12-6 userspace USB programming library
ii makedev 2.3.1-83 creates device files in /dev
ii zlib1g 1:1.2.3-13 compression library - runtime
gnupg recommends no packages.
-- no debconf information
Tags added: upstream, fixed-upstream
Request was from Filipus Klutiero <cheal@hotpop.com>
to control@bugs.debian.org
.
(full text, mbox, link).
Reply sent to Andreas Barth <aba@not.so.argh.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Jose Carlos Garcia Sogo <jsogo@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #14 received at 413922-done@bugs.debian.org (full text, mbox, reply):
Version: 1.4.6-2
Hi,
this upload has fixed this issue already.
Cheers,
Andi
Format: 1.7
Date: Wed, 7 Mar 2007 21:47:35 +0000
Source: gnupg
Binary: gnupg-udeb gpgv gnupg gpgv-udeb
Architecture: source i386
Version: 1.4.6-2
Distribution: unstable
Urgency: medium
Maintainer: James Troup <james@nocrew.org>
Changed-By: James Troup <james@nocrew.org>
Description:
gnupg - GNU privacy guard - a free PGP replacement
gnupg-udeb - GNU privacy guard - a free PGP replacement (udeb)
gpgv - GNU privacy guard - signature verification tool
gpgv-udeb - minimal signature verification tool (udeb)
Changes:
gnupg (1.4.6-2) unstable; urgency=medium
.
* 28_multiple_message.dpatch: new patch from upstream to fix problems
handling verification of messages with multiple
components. [CVE-2007-1263]
--
http://home.arcor.de/andreas-barth/
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 24 Jun 2007 21:27:20 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:10:58 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.