From wk@gnupg.org Fri Jun 1 09:20:47 2001 Date: Fri, 1 Jun 2001 14:40:58 +0200 From: Werner Koch To: announce@gnupg.org Cc: info-gnu@gnu.org Subject: [Announce] GnuPG security fix 1.0.6 Hi, I have recently released a new version of GnuPG which fixes an exploit found by fish stiqz as well has some other bugs: * Security fix for a format string bug in the tty code. * Fixed format string bugs in all PO files. * Removed Russian translation due to too many bugs. The FTP server has an unofficial but better translation in the contrib directory. * Fixed expire time calculation and keyserver access. * The usual set of minor bug fixes and enhancements. Although that the posted exploit code can only be used with a special knowledge of the target machine, I STRONGLY ADVISE TO UPDATE GnuPG to this new version. This new release should be avalable at all mirror sites (see http://www.gnupg.org/mirrors.html and below) and at the primary location: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.0.6.tar.gz (1896k) ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.0.6.tar.gz.sig or as a patch file: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.0.5-1.0.6.diff.gz (217k) MD5 checksums are: 7c319a9e5e70ad9bc3bf0d7b5008a508 gnupg-1.0.6.tar.gz 71ae7d725776688c2e095d9672f38e61 gnupg-1.0.5-1.0.6.diff.gz A binary distribution for MS Windows systems is available at: ftp://ftp.gnupg.org/gcrypt/binaty/gnupg-w32-1.0.6.zip ftp://ftp.gnupg.org/gcrypt/binaty/gnupg-w32-1.0.6.zip After releasing this version it turned out that there is a small glitch in the source when a compiler other than GCC is used. If you encounter a compile problem, you should fix it in include/ttyio.c like this: diff -r1.7.2.3 ttyio.h 27c27 < void tty_printf const char *fmt, ... ); --- > void tty_printf (const char *fmt, ... ); Due to the switch to a new gettext version, some systems may have problems with there own gettext version. Using ./configure --with-included-gettext should fix this (this is also mentioned in the INSTALL file) Have fun Werner Here is a list of sites mirroring ftp://ftp.gnupg.org/gcrypt/ Please use them if you can; new releases should show up on these servers within a day. This mirror list is also available at http://www.gnupg.org/mirrors.html Australia ftp://ftp.planetmirror.com/pub/gnupg/ http://ftp.planetmirror.com/pub/gnupg/ ftp://mirror.aarnet.edu.au/pub/gnupg/ Austria ftp://gd.tuwien.ac.at/privacy/gnupg/ http://gd.tuwien.ac.at/privacy/gnupg/ Belgium ftp://openbsd.rug.ac.be/pub/gcrypt/ ftp://gnupg.x-zone.org/pub/gnupg Czechia ftp://ftp.gnupg.cz/pub/gcrypt Denmark ftp://sunsite.dk/pub/security/gcrypt/ Finland ftp://ftp.jyu.fi/pub/crypt/gcrypt/ France ftp://ftp.strasbourg.linuxfr.org/pub/gnupg/ Germany ftp://ftp.franken.de/pub/crypt/mirror/ftp.guug.de/gcrypt/ ftp://ftp.freenet.de/pub/ftp.gnupg.org/pub/gcrypt/ Greece ftp://ftp.linux.gr/pub/crypto/gnupg/ ftp://hal.csd.auth.gr/mirrors/gnupg/ Hungary ftp://ftp.kfki.hu/pub/packages/security/gnupg/ Iceland ftp://ftp.hi.is/pub/mirrors/gnupg/ Ireland ftp://ftp.compsoc.com/pub/gnupg/ Italy ftp://ftp.linux.it/pub/mirrors/gnupg/ ftp://ftp3.linux.it/pub/mirrors/gnupg/ Japan ftp://pgp.iijlab.net/pub/gnupg/ ftp://ftp.ring.gr.jp/pub/net/gnupg/ http://www.ring.gr.jp/pub/net/gnupg/ Korea ftp://ftp.snu.ac.kr/pub/security/gnupg/ Poland ftp://sunsite.icm.edu.pl/pub/security/gnupg/ Spain ftp://dimonieta.udg.es/mirror/gnupg Sweden ftp://ftp.stacken.kth.se/pub/crypto/gnupg/ ftp://ftp.sunet.se:/pub/security/gnupg/ Switzerland ftp://sunsite.cnlab-switch.ch/mirror/gcrypt/ Taiwan ftp://coda.nctu.edu.tw/Security/gcrypt United Kingdom ftp://ftp.net.lut.ac.uk/gcrypt/ ftp://ftp.mirror.ac.uk/sites/ftp.gnupg.org/pub/gcrypt/ http://www.mirror.ac.uk/sites/ftp.gnupg.org/pub/gcrypt/ -- Werner Koch Omnis enim res, quae dando non deficit, dum habetur g10 Code GmbH et non datur, nondum habetur, quomodo habenda est. Privacy Solutions -- Augustinus [ Part 2, Application/PGP-SIGNATURE 240bytes. ] [ Unable to print this part. ]