-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0014

Package names:	   gnupg 
Summary:           Multiple vulnerabilities
Date:              2006-03-20
Affected versions: Trustix Secure Linux 2.2
                   Trustix Secure Linux 3.0
                   Trustix Operating System - Enterprise Server 2

- --------------------------------------------------------------------------
Package description:
  gnupg
  GnuPG is a complete and free replacement for PGP. Because it does not
  use IDEA it can be used without any restrictions. GnuPG is in compliance
  with the OpenPGP specification (RFC2440).
  
Problem description:
  gnupg < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - New Upstream.
  - SECURITY Fix: Tavis Ormandy has reported a vulnerability in GnuPG,
    which can be exploited by malicious people to bypass certain security
    restrictions. The vulnerability is caused due to an error in the
    detection of unsigned data which makes it possible to inject arbitrary
    data into a signed message and affects the verification of non-detached
    signatures and signatures embedded in encrypted messages.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CVE-2006-0049 to this issue.

Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All Trustix Secure Linux updates are available from
  <URI:http://http.trustix.org/pub/trustix/updates/>
  <URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.org/support/>


Verification:
  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:
  <URI:http://www.trustix.org/TSL-SIGN-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.org/errata/trustix-2.2/> and
  <URI:http://www.trustix.org/errata/trustix-3.0/>
  or directly at
  <URI:http://www.trustix.org/errata/2006/0014/>


MD5sums of the packages:
- --------------------------------------------------------------------------
bd1374efe2f4a5244ebb61c76976eea6  3.0/rpms/gnupg-1.4.2.2-1tr.i586.rpm
40a6e54f3e22a61d76f53ffc2beb5328  3.0/rpms/gnupg-utils-1.4.2.2-1tr.i586.rpm

ad1f96671a07bee2ce265154e91d82f8  2.2/rpms/gnupg-1.2.6-2tr.i586.rpm
01bab9eaaa2beb8430c87b0a6e1f06b8  2.2/rpms/gnupg-utils-1.2.6-2tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEHlrri8CEzsK9IksRAoUJAKCel97krvGk2mG7SE81ZQvPqWfI3QCePjo0
WSrpu0pBoLuZyE/ylfFfMBY=
=yp0J
-----END PGP SIGNATURE-----