[16404] in bugtraq
Re: SERIOUS PGP BUG!
daemon@ATHENA.MIT.EDU (Howard Lowndes)
Sat Aug 26 02:22:08 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0008260958320.983-100000@hero.lannet.com.au>
Date: Sat, 26 Aug 2000 09:59:20 +1000
Reply-To: Howard Lowndes <lannet@LANNET.COM.AU>
From: Howard Lowndes <lannet@LANNET.COM.AU>
X-To: Phosgene <phosgene@SETEC.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.NEB.4.10.10008241020110.29902-100000@setec.org>
Just to add to this:
PGP-6.5.1i for UNIX is vulnerable
--
Howard.
______________________________________________________
LANNet Computing Associates <http://www.lannet.com.au>
On Thu, 24 Aug 2000, Phosgene wrote:
> In case you have not heard there is a serious bug in some versions of PGP
> related to additonal decryption keys (ADK).
> For more information look at John Young's site which details some of this:
> http://cryptome.org/pgp-badbug.htm
>
> Quoting from an email on the site:
>
> "Tested versions of PGP:
> PGP-2.6.3ia UNIX (not vulnerable - doesn't support V4 signatures)
> PGP-5.0i UNIX (not vulnerable)
> PGP-5.5.3i WINDOWS (VULNERABLE)
> PGP-6.5.1i WINDOWS (VULNERABLE)
> GnuPG-1.0.1 UNIX (not vulnerable)"
>
> A paper detailing an aspect of the vulnerability is written by Ralf
> Senderek: http://senderek.de/security/key-experiments.html and his student
> Stephen Early <Stephen.Early@cl.cam.ac.uk> seems to have worked on
> detailing this vulnerability as well on the ukcrypto mailing list.
>
> Phosgene
>
