ot hristo(28-12-2000)
---------------------------------------------------------------
Debian Security Advisory DSA-010-1
security@debian.org
http://www.debian.org/security/
Wichert
Akkerman
25 Dekemvri 2000 g.
---------------------------------------------------------------
Paket :
gnupg
Tip na problema : mamene s otdeleni
signaturi,
podvezhdane na doveritelnata sistema
Spetsifichen za Debian: ne
Naskoro biaha otkriti dve greshki v GnuPG:
1. Luzhlivi polozhitelni rezultati pri proverka na otdeleni
signaturi
--
----------------------------------------------------------------
Sushtestvuva problem v nachina, po koito gpg proveriava
otdelenite signaturi, koeto mozhe da
dovede do luzhlivi polozhitelni rezultati. Otdelenite
signaturi mozhe da se proveriavat s
podobna na slednata komanda:
gpg --verify detached.sig <
mydata
Ako niakoi podmeni detached.sig s podpisan tekst (t.e. ne
otdelena signatura) i togava
modifitsira mydata, gpg shte produlzhava da tvurdi, che
proverkata na signaturata e dala
polozhitelen rezultat.
Za da se opravi tova nachinut po koito raboti optsiiata
--verify e promenen: sega sa i
neobhodimi dva argumenta, kogato se proveriavat otdeleni
signaturi: failut s otdelenata
signatura i failut s dannite, koito triabva da se proveriat za
avtentichnost. Zabelezhete, che
tova pravi gpg nesuvmestim sus starite versii!
2. Tainite klyuchove se importirat tihomulkom
-- ----------------------------------------
Florian Weimer otkri, che gpg importira taini klyuchove ot
suvurite za klyuchove. I dokolkoto
gpg viarva bezrezervno na publichni klyuchove, suotvetstvashti na
izvestni taini klyuchove, e
vuzmozhno zlonamereno litse da podvede doveritelnata
sistema.
Za da se opravi tova e dobavena nova optsiia, koiato da
razreshava na gpg da importira sekretni
klyuchove: --allow-key-import.
I dvete popravki sa vuv versiia 1.0.4-1.1 i nie Vi
preporuchvame nezabavno da si zameniete
paketut gnupg s novata versiia.
wget url
shte vi iztegli faila
dpkg -i file.deb
shte instalira paketut, sudurzhasht
se vuv faila
Debian GNU/Linux 2.2 sinonim potato
-----------------------------------
Potato e pusnat za alpha, arm, i386, m68k, powerpc i
sparc.
Arhivi s izhoden kod:
http://security.debian.org/dists/stable/updates/main/source/gnupg_1.0.4-1.1.diff.gz
MD5 suma:
3e6a792f3bbb566650ea37a286feedf4
http://security.debian.org/dists/stable/updates/main/source/gnupg_1.0.4-1.1.dsc
MD5 suma:
866059ad036f47c59bad9e5c3a0f0749
http://security.debian.org/dists/stable/updates/main/source/gnupg_1.0.4.orig.tar.gz
MD5 suma:
bef2267bfe9b74a00906a78db34437f9
Arhitektura Alpha:
http://security.debian.org/dists/stable/updates/main/binary-alpha/gnupg_1.0.4-1.1_alpha.deb
MD5 suma:
616e391a4eb5561bf32714e40bed38c5
Arhitektura ARM:
http://security.debian.org/dists/stable/updates/main/binary-arm/gnupg_1.0.4-1.1_arm.deb
MD5 suma:
e496f7aed98098feef2869be81b774b7
Arhitektura Intel ia32:
http://security.debian.org/dists/stable/updates/main/binary-i386/gnupg_1.0.4-1.1_i386.deb
MD5 suma:
a6c0494c737250b0ccc7dc33056d8e7c
Arhitektura Motorola 680x0:
http://security.debian.org/dists/stable/updates/main/binary-m68k/gnupg_1.0.4-1.1_m68k.deb
MD5 suma:
a07cbf5bce2890fe85cfae4d796c5b0d
Arhitektura PowerPC:
http://security.debian.org/dists/stable/updates/main/binary-powerpc/gnupg_1.0.4-1.1_powerpc.deb
MD5 suma:
e251364c24066cc88a3de11b4ba23275
Arhitektura Sun Sparc:
http://security.debian.org/dists/stable/updates/main/binary-sparc/gnupg_1.0.4-1.1_sparc.deb
MD5 suma:
b15f4ad07949fb0fa24a221b656691ae
Skoro tezi failove shte se premestiat v
ftp://ftp.debian.org/debian/dists/stable/*/binary-$arch/.
Za drugi arhitekturi, molia otnesete se kum podhodiashtata
direktoriia
ftp://ftp.debian.org/debian/dists/sid/binary-$arch/
.
---------------------------------------------------------------
apt-get: deb http://security.debian.org/
stable/updates main
dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
<< MySQL + Tranzaktsii = MaxSQL | Komodo Beta 1.0 >>
|
