Bugtraq mailing list archives
Security flaw in PGPverify of INN
From: lutz () IKS-JENA DE (Lutz Donnerhacke)
Date: Thu, 9 Oct 1997 15:36:47 +0200
--+w/mQv8wyuph6w05 Content-Type: text/plain; charset=us-ascii Hi, I was urged to send you the following information. I noticed CERT and tale itself. But tale claims that the problem is not a problem of pgpverify, it's a problem of some krauts trying to send checkgroups monthly using a bot. The checkgroups mentioned were send since a year. They do not include Date: and Message-ID: because these values were not predictable by the human signer and the bot does not know the passphrase to work with. In consequence there are checkgroups out there which can be resend at any time causing a lot of trouble, because the signature is still valid even if a new Message-ID: and Date: line are used. The obvious fix is to modify pgpverify to block such control messages. ftp://ftp.iks-jena.de/pub/mitarb/lutz/ contains the necessary fixes. HTH --+w/mQv8wyuph6w05 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.3in iQCiAwUBNDzd7pFeTizbCJMJAQHtewRnSzHzJkxfvtUVtaaOtnsS0jAQBhHPZO4p ztMCLSkqj93EVTbJSpeKmhJ7EMrSDEgZ0dHOR9n8B+ysaB3mDQ9e9ESwFyMPQMgQ x60x/AQgAVE516S1FKU8Se/4iia2X0Pa5TL85v+CK7hBvbcAyRBIKoEKR9KygM/f W7w8Ol5tE1f9MveyeWscA+Juy3in =ZzIE -----END PGP SIGNATURE----- --+w/mQv8wyuph6w05--
Current thread:
- Re: Possible weakness in LPD protocol Warner Losh (Oct 03)
- Re: Possible weakness in LPD protocol Brett Lymn (Oct 08)
- L0pht Advisory: IMAP4rev1 imapd server We got Food - Fuel - Ice-cold Beer - and X.509 certificates (Oct 08)
- Re: L0pht Advisory: IMAP4rev1 imapd server Marc Slemko (Oct 08)
- SNMP Insecurity Aleph One (Oct 08)
- Malicious Linux modules Runar Jensen (Oct 08)
- Re: L0pht Advisory: IMAP4rev1 imapd server Casper Dik (Oct 09)
- Security flaw in PGPverify of INN Lutz Donnerhacke (Oct 09)
- Re: L0pht Advisory: IMAP4rev1 imapd server Kragen Sitaker (Oct 09)
- Security flaw in Count.cgi (wwwcount) Razvan Dragomirescu (Oct 10)
- Huge security holes in Microsoft FP98 server extensions for Apache Marc Slemko (Oct 11)
- Re: Huge security holes in Microsoft FP98 server extensions for Aleph One (Oct 11)
- DOS PC FTP SERVER Efrain Torres Mejia (Oct 11)
- _very_ poor ISN generation on Ascend MAX (fwd) Marc Slemko (Oct 11)
- Re: L0pht Advisory: IMAP4rev1 imapd server Marc Slemko (Oct 08)
- Another way to exploit local classes in Java Andre L. Dos Santos (Oct 08)
- <Possible follow-ups>
- Re: Possible weakness in LPD protocol Oliver Friedrichs (Oct 03)
- Re: Possible weakness in LPD protocol Eivind Eklund (Oct 03)
- Re: Possible weakness in LPD protocol Doug Hughes (Oct 05)