Hi,
I have recently released a new version of GnuPG which fixes an
exploit found by fish stiqz as well has some other bugs:
* Security fix for a format string bug in the tty code.
* Fixed format string bugs in all PO files.
* Removed Russian translation due to too many bugs. The FTP
server has an unofficial but better translation in the contrib
directory.
* Fixed expire time calculation and keyserver access.
* The usual set of minor bug fixes and enhancements.
Although that the posted exploit code can only be used with a special
knowledge of the target machine, I STRONGLY ADVISE TO UPDATE GnuPG to
this new version.
This new release should be avalable at all mirror sites (see
http://www.gnupg.org/mirrors.html and below) and at the primary location:
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.0.6.tar.gz (1896k)
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.0.6.tar.gz.sig
or as a patch file:
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.0.5-1.0.6.diff.gz (217k)
MD5 checksums are:
7c319a9e5e70ad9bc3bf0d7b5008a508 gnupg-1.0.6.tar.gz
71ae7d725776688c2e095d9672f38e61 gnupg-1.0.5-1.0.6.diff.gz
A binary distribution for MS Windows systems is available at:
ftp://ftp.gnupg.org/gcrypt/binaty/gnupg-w32-1.0.6.zip
ftp://ftp.gnupg.org/gcrypt/binaty/gnupg-w32-1.0.6.zip
After releasing this version it turned out that there is a small
glitch in the source when a compiler other than GCC is used. If you
encounter a compile problem, you should fix it in include/ttyio.c
like this:
diff -r1.7.2.3 ttyio.h
27c27
< void tty_printf const char *fmt, ... );
---> void tty_printf (const char *fmt, ... );
Due to the switch to a new gettext version, some systems may have
problems with there own gettext version. Using
./configure --with-included-gettext
should fix this (this is also mentioned in the INSTALL file)
Have fun
Werner
Here is a list of sites mirroring ftp://ftp.gnupg.org/gcrypt/
Please use them if you can; new releases should show up on these
servers within a day. This mirror list is also available at
http://www.gnupg.org/mirrors.html
Australia
ftp://ftp.planetmirror.com/pub/gnupg/
http://ftp.planetmirror.com/pub/gnupg/
ftp://mirror.aarnet.edu.au/pub/gnupg/
Austria
ftp://gd.tuwien.ac.at/privacy/gnupg/
http://gd.tuwien.ac.at/privacy/gnupg/
Belgium
ftp://openbsd.rug.ac.be/pub/gcrypt/
ftp://gnupg.x-zone.org/pub/gnupg
Czechia
ftp://ftp.gnupg.cz/pub/gcrypt
Denmark
ftp://sunsite.dk/pub/security/gcrypt/
Finland
ftp://ftp.jyu.fi/pub/crypt/gcrypt/
France
ftp://ftp.strasbourg.linuxfr.org/pub/gnupg/
Germany
ftp://ftp.franken.de/pub/crypt/mirror/ftp.guug.de/gcrypt/
ftp://ftp.freenet.de/pub/ftp.gnupg.org/pub/gcrypt/
Greece
ftp://ftp.linux.gr/pub/crypto/gnupg/
ftp://hal.csd.auth.gr/mirrors/gnupg/
Hungary
ftp://ftp.kfki.hu/pub/packages/security/gnupg/
Iceland
ftp://ftp.hi.is/pub/mirrors/gnupg/
Ireland
ftp://ftp.compsoc.com/pub/gnupg/
Italy
ftp://ftp.linux.it/pub/mirrors/gnupg/
ftp://ftp3.linux.it/pub/mirrors/gnupg/
Japan
ftp://pgp.iijlab.net/pub/gnupg/
ftp://ftp.ring.gr.jp/pub/net/gnupg/
http://www.ring.gr.jp/pub/net/gnupg/
Korea
ftp://ftp.snu.ac.kr/pub/security/gnupg/
Poland
ftp://sunsite.icm.edu.pl/pub/security/gnupg/
Spain
ftp://dimonieta.udg.es/mirror/gnupg
Sweden
ftp://ftp.stacken.kth.se/pub/crypto/gnupg/
ftp://ftp.sunet.se:/pub/security/gnupg/
Switzerland
ftp://sunsite.cnlab-switch.ch/mirror/gcrypt/
Taiwan
ftp://coda.nctu.edu.tw/Security/gcrypt
United Kingdom
ftp://ftp.net.lut.ac.uk/gcrypt/
ftp://ftp.mirror.ac.uk/sites/ftp.gnupg.org/pub/gcrypt/
http://www.mirror.ac.uk/sites/ftp.gnupg.org/pub/gcrypt/
--
Werner Koch Omnis enim res, quae dando non deficit, dum habetur
g10 Code GmbH et non datur, nondum habetur, quomodo habenda est.
Privacy Solutions -- Augustinus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : /pipermail/attachments/20010601/6f6059b9/attachment.pgp