--------------------------------------------------------------------- Fedora Update Notification FEDORA-2006-1406 2006-12-06 ---------------------------------------------------------------------
Product : Fedora Core 6 Name : gnupg Version : 1.4.6 Release : 2 Summary : A GNU utility for secure communication and data storage. Description : GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and creating digital signatures. GnuPG has advanced key management capabilities and is compliant with the proposed OpenPGP Internet standard described in RFC2440. Since GnuPG doesn't use any patented algorithm, it is not compatible with any version of PGP2 (PGP2.x uses only IDEA for symmetric-key encryption, which is patented worldwide).
--------------------------------------------------------------------- Update Information:
This update upgrades GnuPG to version 1.4.6, incorporating fixes for a potential buffer overflow (CVE-2006-6169) and referencing of a stack variable after it passes out of scope (CVE-2006-6235). --------------------------------------------------------------------- * Wed Dec 6 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.6-2 - rebuild * Wed Dec 6 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.6-1 - update to 1.4.6, incorporating fixes for CVE-2006-6169 and CVE-2006-6235 * Tue Dec 5 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.5-13 - apply the termlib patch again * Tue Dec 5 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.5-12 - don't apply the non-security termlib patch * Tue Dec 5 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.5-11 - rebuild * Tue Dec 5 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.5-10 - incorporate patch from Werner to fix use of stack variable after it goes out of scope (CVE-2006-6235, #218483) * Fri Dec 1 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.5-9 - rebuild - give configure a --with-termlib option which can be used to force the selection of libtermcap or libncurses, but don't flip the switch yet * Fri Dec 1 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.5-8 - rebuild * Fri Dec 1 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.5-7 - rebuild * Fri Dec 1 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.5-6 - add patch for overflow in openfile.c from Werner's mail (CVE-2006-6169, #218506) * Tue Oct 31 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.5-5 - rebuild against current libcurl * Fri Aug 18 2006 Jesse Keating jkeating@redhat.com - 1.4.5-4 - rebuilt with latest binutils to pick up 64K -z commonpagesize on ppc* (#203001) * Tue Aug 1 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.5-3 - rebuild * Tue Aug 1 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.5-2 - rebuild - reenable curl support * Tue Aug 1 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.5-1 - update to 1.4.5, fixing additional size overflows in packet parsing (#200904, CVE-2006-3746) - temporarily disable curl support again * Fri Jul 28 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.4.90-1 - update to 1.4.5rc1 to check for build problems, but mark it as 1.4.4.90 to avoid looking "newer" than the eventual 1.4.5 - because we call aclocal, buildrequire gettext-devel to get AM_GNU_GETTEXT * Thu Jul 20 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.4-7 - add BuildPrereq on curl-devel to get curl's ipv6 support (#198375) * Wed Jul 12 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.4-6 - fix a cast in gpgkeys_hkp to avoid tripping stack smashing or buffer overflow detection (#198612) * Wed Jul 12 2006 Jesse Keating jkeating@redhat.com - 1.4.4-5.1 - rebuild * Wed Jul 5 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.4-5 - try again using per-platform buildprereq (jkeating) * Wed Jul 5 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.4-4 - buildprereq libusb-devel, so that we get CCID support back (#197450) * Mon Jun 26 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.4-3 - rebuild * Mon Jun 26 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.4-2 - rebuild * Mon Jun 26 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.4-1 - update to 1.4.4 * Tue Jun 20 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.3-5 - rebuild * Tue Jun 20 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.3-4 - add patch from upstream to fix CVE-2006-3082 (#195946) * Tue Apr 11 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.3-3 - rebuild * Tue Apr 11 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.3-2 - apply patch from David Shaw to try multiple defaults if the the photo-viewer option isn't set (fixes #187880) * Fri Mar 10 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.3-1 - update to 1.4.3 * Fri Mar 10 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.2.2-2 - rebuild * Fri Mar 10 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.2.2-1 - update to 1.4.2.2 to fix detection of unsigned data (CVE-2006-0049, #185111) * Mon Feb 20 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.2.1-4 - rebuild * Mon Feb 20 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.2.1-3 - add patch from David Shaw to fix error reading keyrings created with older versions of GnuPG (Enrico Scholz, #182163) * Wed Feb 15 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.2.1-2 - rebuild * Wed Feb 15 2006 Nalin Dahyabhai nalin@redhat.com - 1.4.2.1-1 - update to 1.4.2.1 (fixes CVE-2006-0455) * Fri Feb 10 2006 Jesse Keating jkeating@redhat.com - 1.4.2-3.2.1 - bump again for double-long bug on ppc(64) * Tue Feb 7 2006 Jesse Keating jkeating@redhat.com - 1.4.2-3.2 - rebuilt for new gcc4.1 snapshot and glibc changes * Fri Dec 9 2005 Jesse Keating jkeating@redhat.com - rebuilt * Tue Aug 9 2005 Nalin Dahyabhai nalin@redhat.com 1.4.2-3 - don't override libexecdir any more; we don't need to (#165462) * Thu Aug 4 2005 Nalin Dahyabhai nalin@redhat.com 1.4.2-2 - pull in David Shaw's fix for key generation in batch mode * Fri Jul 29 2005 Nalin Dahyabhai nalin@redhat.com - change %post to check if the info files are there before attempting to add or remove them from the info index (#91641) * Wed Jul 27 2005 Nalin Dahyabhai nalin@redhat.com 1.4.2-1 - update to 1.4.2 * Thu May 5 2005 Nalin Dahyabhai nalin@redhat.com 1.4.1-3 - fix the execstack problem correctly this time (arjanv) * Thu Apr 28 2005 Nalin Dahyabhai nalin@redhat.com 1.4.1-2 - add -Wa,--noexecstack back to CFLAGS when invoking configure, the --enable-noexecstack flag only seems to affect asm modules * Wed Mar 16 2005 Nalin Dahyabhai nalin@redhat.com 1.4.1-1 - update to 1.4.1 * Tue Mar 8 2005 Nalin Dahyabhai nalin@redhat.com 1.4.0-2 - build asm modules with -Wa,--noexecstack * Mon Jan 24 2005 Nalin Dahyabhai nalin@redhat.com 1.4.0-1 - comment out libusb-devel req for now so that we can build - build the mpi asm modules with gcc, not a cpp/as setup so that we don't end up with text relocations in the resulting binaries (#145836) * Wed Dec 22 2004 Nalin Dahyabhai nalin@redhat.com - update to 1.4.0 * Mon Nov 1 2004 Nalin Dahyabhai nalin@redhat.com - add a pile of buildprereq * Mon Nov 1 2004 Robert Scheck redhat@linuxnetz.de 1.2.6-2 - set LANG=C before running shm coprocessing build-time check (#129873) * Thu Aug 26 2004 Nalin Dahyabhai nalin@redhat.com 1.2.6-1 - update to 1.2.6 * Tue Jul 27 2004 Nalin Dahyabhai nalin@redhat.com - update to 1.2.5 - reenable optimization on ppc64 * Tue Jun 15 2004 Elliot Lee sopwith@redhat.com - rebuilt * Tue Mar 2 2004 Elliot Lee sopwith@redhat.com - rebuilt * Fri Feb 13 2004 Elliot Lee sopwith@redhat.com - rebuilt * Fri Feb 6 2004 Nalin Dahyabhai nalin@redhat.com 1.2.4-1 - update to 1.2.4, dropping separate ElGamal disabling patch * Fri Dec 12 2003 Nalin Dahyabhai nalin@redhat.com 1.2.3-3 - rebuild * Mon Dec 1 2003 Nalin Dahyabhai nalin@redhat.com 1.2.3-2 - incorporate patch from gnupg-announce which removes the ability to create ElGamal encrypt+sign keys or to sign messages with such keys * Mon Oct 27 2003 Nalin Dahyabhai nalin@redhat.com 1.2.3-1 - use -fPIE instead of -fpie because some arches need it * Mon Oct 27 2003 Nalin Dahyabhai nalin@redhat.com - build gnupg as a position-independent executable (Arjan van de Ven) * Mon Aug 25 2003 Nalin Dahyabhai nalin@redhat.com - add Werner's key as a source file * Fri Aug 22 2003 Nalin Dahyabhai nalin@redhat.com - update to 1.2.3 * Thu Jun 19 2003 Nalin Dahyabhai nalin@redhat.com 1.2.2-3 - disable asm and optimization on ppc64 * Fri Jun 13 2003 Nalin Dahyabhai nalin@redhat.com - add a build-time check to ensure that shm coprocessing was enabled * Wed Jun 4 2003 Elliot Lee sopwith@redhat.com - rebuilt * Mon May 5 2003 Nalin Dahyabhai nalin@redhat.com 1.2.2-1 - update to 1.2.2, fixing CAN-2003-0255 * Thu May 1 2003 Elliot Lee sopwith@redhat.com 1.2.1-5 - Add ppc64 patch to fix up global symbol names in assembly * Fri Feb 28 2003 Kevin Sonney ksonney@redhat.com 1.2.1-4 - remove autoconf call on sparc * Fri Feb 7 2003 Nalin Dahyabhai nalin@redhat.com 1.2.1-3 - modify g10defs to look for helpers in libexecdir, because that's where they get installed, per gnupg-users - actually drop updates for 1.0.7 which are no longer needed for 1.2.1 * Wed Jan 22 2003 Tim Powers timp@redhat.com - rebuilt * Mon Oct 28 2002 Nalin Dahyabhai nalin@redhat.com 1.2.1-1 - update to 1.2.1 * Tue Sep 24 2002 Nalin Dahyabhai nalin@redhat.com 1.2.0-1 - update to 1.2.0 - stop stripping files manually, let the buildroot policies handle it - add translations updates ca and fr * Tue Aug 27 2002 Nalin Dahyabhai nalin@redhat.com 1.0.7-6 - rebuild * Wed Jul 24 2002 Nalin Dahyabhai nalin@redhat.com 1.0.7-5 - specify a menu entry when installing info pages * Wed Jul 24 2002 Nalin Dahyabhai nalin@redhat.com 1.0.7-4 - add and install info pages (#67931) - don't include two copies of the faq, add new doc files (#67931) * Fri Jun 21 2002 Tim Powers timp@redhat.com - automated rebuild * Sun May 26 2002 Tim Powers timp@redhat.com - automated rebuild * Tue Apr 30 2002 Nalin Dahyabhai nalin@redhat.com 1.0.7-1 - update to 1.0.7 * Fri Feb 22 2002 Nalin Dahyabhai nalin@redhat.com 1.0.6-5 - rebuild * Wed Jan 23 2002 Nalin Dahyabhai nalin@redhat.com 1.0.6-4 - make the codeset patch unconditional * Thu Aug 9 2001 Nalin Dahyabhai nalin@redhat.com 1.0.6-3 - set message output encoding to match the message encoding, based on a patch by goeran@uddeborg.pp.se (#49182) * Sun Jun 24 2001 Elliot Lee sopwith@redhat.com 1.0.6-2 - Bump release + rebuild. * Wed May 30 2001 Nalin Dahyabhai nalin@redhat.com 1.0.6-1 - update to 1.0.6, fixes format string exploit * Mon Apr 30 2001 Nalin Dahyabhai nalin@redhat.com - update to 1.0.5, dropping various patches * Tue Feb 27 2001 Trond Eivind Glomsrød teg@redhat.com - langify - strip binaries in /usr/lib/gnupg * Tue Feb 27 2001 Nalin Dahyabhai nalin@redhat.com - fix the group * Mon Dec 18 2000 Nalin Dahyabhai nalin@redhat.com - go with this version -- 1.0.4c includes a lot of changes beyond just the two security fixes * Thu Dec 14 2000 Nalin Dahyabhai nalin@redhat.com - add the --allow-secret-key-import patch from CVS in case we don't get a 1.0.5 * Fri Dec 8 2000 Nalin Dahyabhai nalin@redhat.com - build as an errata for 7 * Fri Dec 1 2000 Nalin Dahyabhai nalin@redhat.com - add a security patch for a problem with detached signature verification... might hold off for an impending 1.0.5, though * Thu Oct 19 2000 Nalin Dahyabhai nalin@redhat.com - fix a bug preventing creation of .gnupg directories * Wed Oct 18 2000 Nalin Dahyabhai nalin@redhat.com - add patch to recognize AES signatures properly (#19312) - add gpgv to the package * Tue Oct 17 2000 Nalin Dahyabhai nalin@redhat.com - update to 1.0.4 to get security fix * Tue Oct 10 2000 Nalin Dahyabhai nalin@redhat.com - fix man page typos (#18797) * Thu Sep 21 2000 Nalin Dahyabhai nalin@redhat.com - update to 1.0.3 - switch to bundled copy of the man page * Wed Aug 30 2000 Matt Wilson msw@redhat.com - rebuild to cope with glibc locale binary incompatibility, again * Wed Aug 16 2000 Nalin Dahyabhai nalin@redhat.com - revert locale patch (#16222) * Tue Aug 15 2000 Nalin Dahyabhai nalin@redhat.com - set all locale data instead of LC_MESSAGES and LC_TIME (#16222) * Sun Jul 23 2000 Nalin Dahyabhai nalin@redhat.com - update to 1.0.2 * Wed Jul 19 2000 Jakub Jelinek jakub@redhat.com - rebuild to cope with glibc locale binary incompatibility * Thu Jul 13 2000 Prospector bugzilla@redhat.com - automatic rebuild * Wed Jul 12 2000 Nalin Dahyabhai nalin@redhat.com - include lspgpot (#13772) * Mon Jun 5 2000 Nalin Dahyabhai nalin@redhat.com - rebuild in new build environment * Fri Feb 18 2000 Bill Nottingham notting@redhat.com - build of 1.0.1 * Fri Sep 10 1999 Cristian Gafton gafton@redhat.com - version 1.0.0 build for 6.1us
--------------------------------------------------------------------- This update can be downloaded from: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/6/
c626ce84e9d2dc39c863efbbdf879330d5fe74fb SRPMS/gnupg-1.4.6-2.src.rpm c626ce84e9d2dc39c863efbbdf879330d5fe74fb noarch/gnupg-1.4.6-2.src.rpm 682cbd00aabbb225d748bdb237fde51b3ef25b06 ppc/gnupg-1.4.6-2.ppc.rpm ebbeef080fff37991929bc6d727dad8dec0287dc ppc/debug/gnupg-debuginfo-1.4.6-2.ppc.rpm a8e6cfd56037a585d9d4f4a745e17be59bcab206 x86_64/gnupg-1.4.6-2.x86_64.rpm 786c668d1c45a02f73af311832e70d0cae81c738 x86_64/debug/gnupg-debuginfo-1.4.6-2.x86_64.rpm 1e442eca4432f340c53ccca22b620c009b8aae08 i386/gnupg-1.4.6-2.i386.rpm e99717a999fb025e2d4635351a7618c51613b4f0 i386/debug/gnupg-debuginfo-1.4.6-2.i386.rpm
This update can be installed with the 'yum' update program. Use 'yum update package-name' at the command line. For more information, refer to 'Managing Software with yum,' available at http://fedora.redhat.com/docs/yum/. ---------------------------------------------------------------------
package-announce@lists.fedoraproject.org