Executive Summary
| Summary | |
|---|---|
| Title | gnupg vulnerability |
| Informations | |||
|---|---|---|---|
| Name | USN-264-1 | First vendor Publication | 2006-03-13 |
| Vendor | Ubuntu | Last vendor Modification | 2006-03-13 |
| Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:N/I:P/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 5 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: gnupg The problem can be corrected by upgrading the affected package to version 1.2.4-4ubuntu2.3 (for Ubuntu 4.10), 1.2.5-3ubuntu5.3 (for Ubuntu 5.04), or 1.4.1-1ubuntu1.2 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Tavis Ormandy discovered a flaw in gnupg's signature verification. In some cases, certain invalid signature formats could cause gpg to report a 'good signature' result for auxiliary unsigned data which was prepended or appended to the checked message part. |
Original Source
| Url : http://www.ubuntu.com/usn/USN-264-1 |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:10063 | |||
| Oval ID: | oval:org.mitre.oval:def:10063 | ||
| Title: | gpg in GnuPG before 1.4.2.2 does not properly verify non-detached signatures, which allows attackers to inject unsigned data via a data packet that is not associated with a control packet, which causes the check for concatenated signatures to report that the signature is valid, a different vulnerability than CVE-2006-0455. | ||
| Description: | gpg in GnuPG before 1.4.2.2 does not properly verify non-detached signatures, which allows attackers to inject unsigned data via a data packet that is not associated with a control packet, which causes the check for concatenated signatures to report that the signature is valid, a different vulnerability than CVE-2006-0455. | ||
| Family: | unix | Class: | vulnerability |
| Reference(s): | CVE-2006-0049 | Version: | 5 |
| Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2009-10-10 | Name : SLES9: Security update for gpg File : nvt/sles9p5017077.nasl |
| 2008-09-24 | Name : Gentoo Security Advisory GLSA 200603-08 (gnupg) File : nvt/glsa_200603_08.nasl |
| 2008-09-04 | Name : FreeBSD Ports: gnupg File : nvt/freebsd_gnupg2.nasl |
| 2008-01-17 | Name : Debian Security Advisory DSA 993-1 (gnupg) File : nvt/deb_993_1.nasl |
| 2008-01-17 | Name : Debian Security Advisory DSA 993-2 (gnupg) File : nvt/deb_993_2.nasl |
| 0000-00-00 | Name : Slackware Advisory SSA:2006-072-02 gnupg File : nvt/esoft_slk_ssa_2006_072_02.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 23790 | GnuPG gpg Unsigned Data Injection Detection Failure Gnu Privacy Guard contains a flaw that may allow a malicious user to inject unsigned data into a signed message. The issue is triggered when unsigned PGP packets are prepended or appended to legitimately signed packet streams. It is possible that the flaw may allow injected data to appear signed resulting in a loss of integrity. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-993.nasl - Type : ACT_GATHER_INFO |
| 2006-07-05 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2006-0266.nasl - Type : ACT_GATHER_INFO |
| 2006-05-13 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_948921adafbc11dabad902e081235dab.nasl - Type : ACT_GATHER_INFO |
| 2006-04-04 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-264-1.nasl - Type : ACT_GATHER_INFO |
| 2006-03-18 | Name : The remote Mandrake Linux host is missing a security update. File : mandrake_MDKSA-2006-055.nasl - Type : ACT_GATHER_INFO |
| 2006-03-17 | Name : The remote host is missing a vendor-supplied security patch File : suse_SA_2006_014.nasl - Type : ACT_GATHER_INFO |
| 2006-03-16 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2006-0266.nasl - Type : ACT_GATHER_INFO |
| 2006-03-14 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2006-072-02.nasl - Type : ACT_GATHER_INFO |
| 2006-03-14 | Name : The remote Fedora Core host is missing a security update. File : fedora_2006-147.nasl - Type : ACT_GATHER_INFO |
| 2006-03-13 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200603-08.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 12:03:21 |
|
