COMMAND
GnuPG
SYSTEMS AFFECTED
GnuPG
PROBLEM
When importing keys from public key servers, GnuPG will import
private keys (also known as secret keys) in addition to public
keys. If this happens, the user's web of trust becomes
corrupted. Additionally, when used to check detached signatures,
if the data file being checked contained clearsigned data, GnuPG
would not warn the user if the detached signature was incorrect.
Florian Weimer discovered that gpg would import secret keys from
key-servers.
SOLUTION
For RedHat:
ftp://updates.redhat.com//6.2/SRPMS/gnupg-1.0.4-8.6.x.src.rpm
ftp://updates.redhat.com//6.2/alpha/gnupg-1.0.4-8.6.x.alpha.rpm
ftp://updates.redhat.com//6.2/i386/gnupg-1.0.4-8.6.x.i386.rpm
ftp://updates.redhat.com//6.2/sparc/gnupg-1.0.4-8.6.x.sparc.rpm
ftp://updates.redhat.com//7.0/SRPMS/gnupg-1.0.4-8.6.x.src.rpm
ftp://updates.redhat.com//7.0/SRPMS/gnupg-1.0.4-9.src.rpm
ftp://updates.redhat.com//7.0/alpha/gnupg-1.0.4-9.alpha.rpm
ftp://updates.redhat.com//7.0/i386/gnupg-1.0.4-9.i386.rpm
For Trustix:
For version 1.2: RPMS/gnupg-1.0.4-4tr.i586.rpm
SRPMS/gnupg-1.0.4-4tr.src.rpm
For version 1.1 and 1.0x:
RPMS/gnupg-1.0.4-4tr.i586.rpm
SRPMS/gnupg-1.0.4-4tr.src.rpm
Get the updates here:
http://www.trustix.net/pub/Trustix/updates/
ftp://ftp.trustix.net/pub/Trustix/updates/
Users of 1.0x should as always use the update for 1.1.
For Linux-Mandrake:
Linux-Mandrake 7.0: 7.0/RPMS/gnupg-1.0.4-3.2mdk.i586.rpm
7.0/SRPMS/gnupg-1.0.4-3.2mdk.src.rpm
Linux-Mandrake 7.1: 7.1/RPMS/gnupg-1.0.4-3.2mdk.i586.rpm
7.1/SRPMS/gnupg-1.0.4-3.2mdk.src.rpm
Linux-Mandrake 7.2: 7.2/RPMS/gnupg-1.0.4-3.1mdk.i586.rpm
7.2/SRPMS/gnupg-1.0.4-3.1mdk.src.rpm
For Debian:
http://security.debian.org/dists/stable/updates/main/source/gnupg_1.0.4-1.1.diff.gz
http://security.debian.org/dists/stable/updates/main/source/gnupg_1.0.4-1.1.dsc
http://security.debian.org/dists/stable/updates/main/source/gnupg_1.0.4.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/binary-alpha/gnupg_1.0.4-1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/gnupg_1.0.4-1.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/gnupg_1.0.4-1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/gnupg_1.0.4-1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/gnupg_1.0.4-1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/gnupg_1.0.4-1.1_sparc.deb
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/gnupg-1.0.4-5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/gnupg-1.0.4-5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/gnupg-1.0.4-5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/gnupg-1.0.4-5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/gnupg-1.0.4-5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/gnupg-1.0.4-5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/gnupg-1.0.4-5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/gnupg-1.0.4-5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/gnupg-1.0.4-5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/gnupg-1.0.4-5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/gnupg-1.0.4-5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/gnupg-1.0.4-5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/gnupg-1.0.4-5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/gnupg-1.0.4-5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/gnupg-1.0.4-5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/gnupg-1.0.4-5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/gnupg-1.0.4-5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/gnupg-1.0.4-5cl.i386.rpm