-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: OpenLinux: Gnupg (gpg) severe bug could compromise almost all ElGamal keys Advisory number: CSSA-2004-009.0 Issue date: 2004 March 02 Cross reference: sr888900 fz528657 erg712525 CAN-2003-0971 ______________________________________________________________________________ 1. Problem Description GnuPG (GPG) 1.0.2, and other versions up to 1.2.3, creates ElGamal sign+encrypt keys using the same key component for encryption as for signing, which allows attackers to determine the private key from a signature. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0971 to this issue. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to gnupg-1.2.2-2.i386.rpm OpenLinux 3.1.1 Workstation prior to gnupg-1.2.2-2.i386.rpm 3. Solution The proper solution is to install the latest packages. Many customers find it easier to use the Caldera System Updater, called cupdate (or kcupdate under the KDE environment), to update these packages rather than downloading and installing them by hand. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-00 9.0/RPMS 4.2 Packages 168ed23b56488785d45e861aaef4b3cc gnupg-1.2.2-2.i386.rpm 4.3 Installation rpm -Fvh gnupg-1.2.2-2.i386.rpm 4.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-00 9.0/SRPMS 4.5 Source Packages 1713a8818339c43ecd988be7015ae677 gnupg-1.2.2-2.src.rpm 5. OpenLinux 3.1.1 Workstation 5.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-200 4-009.0/RPMS 5.2 Packages 90a18da7cdd7247cf601e8bbef66c1e7 gnupg-1.2.2-2.i386.rpm 5.3 Installation rpm -Fvh gnupg-1.2.2-2.i386.rpm 5.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-200 4-009.0/SRPMS 5.5 Source Packages 2fad8d8f3cad20a62fac0e9eb39e283b gnupg-1.2.2-2.src.rpm 6. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0971 SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr888900 fz528657 erg712525. 7. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 8. Acknowledgements SCO would like to thank Phong Nguyen ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (SCO/UNIX_SVR5) iD8DBQFARUhwbluZssSXDTERAjEkAKDo9I+3dH8mV+mcFxcm+Mf1UN3iNgCbB156 icQE3x3fX7Js8k2osQgRweM= =hl26 -----END PGP SIGNATURE-----