[16409] in bugtraq
PGP issue update
daemon@ATHENA.MIT.EDU (deepquest@NETSCAPE.NET)
Sat Aug 26 16:29:26 2000
Message-Id: <20000826121158.13915.qmail@securityfocus.com>
Date: Sat, 26 Aug 2000 12:11:58 -0000
Reply-To: deepquest@NETSCAPE.NET
From: deepquest@NETSCAPE.NET
To: BUGTRAQ@SECURITYFOCUS.COM
from http://www.pgp.com/other/advisories/adk.asp
"On the morning of Thursday, August 24 researchers in Germany
discovered a bug in PGP versions 5.5 through 6.5.3 regarding
how those versions handle unauthorized Additional Decryption
Key additions to the unhashed/unsigned areas of PGP keys. We
are currently working on this issue and consider it our top
priority. A formal advisory from PGP Security and hotfixes
for this issue will be made available as soon as possible.
Additional information about this issue is available from
CERT.
Below is a message from Phil
Zimmermann regarding this issue (a PGP signed version is
available here). Please refer back to this page in the future
for the latest information regarding this issue.
We at NAI/PGP Security regret this important bug in the ADK
feature that has been described on various Internet postings
today (Thursday 24 Aug). We were made aware of this bug in
PGP early this morning. We are responding as fast as we can,
and expect to have new 6.5.x releases out to fix this bug
late Thursday evening. The MIT web site should have a new
PGP 6.5.x freeware release early Friday, and the NAI/PGP web
site should have patches out for the commercial releases at
about the same time. As of this afternoon (Thursday), the PGP
key server at PGP already filters out keys with the bogus ADK
packets. We expect to have fixes available for the other key
servers that run our software by tomorrow. We have also
alerted the other vendors that make PGP key server software
to the problem, and expect Highware/Veridis in Belgium to
have their key servers filtering keys the same way by Friday.
The fixes that we are releasing for the PGP client software
filters out the offending ADK packets. We already warn the
users whenever they are about to use an ADK, even in the
normal case.
We will have new information as soon as it becomes available
at http://www.pgp.com.
Philip Zimmermann
prz@pgp.com
19:00 PDT Thursday 24 Aug
2000"
PGP updated softwares (http://web.mIt.edu/network/pgp.html):
---------------------
PGP Freeware v6.5.8 is now available for Windows
95/98/NT/2000! and the Macintosh
PGP Freeware v6.5.8 is MacOS 7.6.1+
PGP Command Line Freeware v6.5.2 is now available for
AIX/HP-UX/Linux/Solaris!
PGP Certificate Server Freeware v2.5.1 is now available for
Windows NT/2000 and Solaris!
Deepquest
"Ubi solitudinem faciunt, pacem appellant"
www.deepquest.pf
