[SECURITY] Fedora Core 6 Update: gnupg-1.4.6-2
Nalin Dahyabhai
nalin at redhat.com
Wed Dec 6 21:50:41 UTC 2006
---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2006-1406
2006-12-06
---------------------------------------------------------------------
Product : Fedora Core 6
Name : gnupg
Version : 1.4.6
Release : 2
Summary : A GNU utility for secure communication and data storage.
Description :
GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and
creating digital signatures. GnuPG has advanced key management
capabilities and is compliant with the proposed OpenPGP Internet
standard described in RFC2440. Since GnuPG doesn't use any patented
algorithm, it is not compatible with any version of PGP2 (PGP2.x uses
only IDEA for symmetric-key encryption, which is patented worldwide).
---------------------------------------------------------------------
Update Information:
This update upgrades GnuPG to version 1.4.6, incorporating
fixes for a potential buffer overflow (CVE-2006-6169) and
referencing of a stack variable after it passes out of scope
(CVE-2006-6235).
---------------------------------------------------------------------
* Wed Dec 6 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.6-2
- rebuild
* Wed Dec 6 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.6-1
- update to 1.4.6, incorporating fixes for CVE-2006-6169 and CVE-2006-6235
* Tue Dec 5 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.5-13
- apply the termlib patch again
* Tue Dec 5 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.5-12
- don't apply the non-security termlib patch
* Tue Dec 5 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.5-11
- rebuild
* Tue Dec 5 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.5-10
- incorporate patch from Werner to fix use of stack variable after it goes
out of scope (CVE-2006-6235, #218483)
* Fri Dec 1 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.5-9
- rebuild
- give configure a --with-termlib option which can be used to force the
selection of libtermcap or libncurses, but don't flip the switch yet
* Fri Dec 1 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.5-8
- rebuild
* Fri Dec 1 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.5-7
- rebuild
* Fri Dec 1 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.5-6
- add patch for overflow in openfile.c from Werner's mail
(CVE-2006-6169, #218506)
* Tue Oct 31 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.5-5
- rebuild against current libcurl
* Fri Aug 18 2006 Jesse Keating <jkeating at redhat.com> - 1.4.5-4
- rebuilt with latest binutils to pick up 64K -z commonpagesize on ppc*
(#203001)
* Tue Aug 1 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.5-3
- rebuild
* Tue Aug 1 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.5-2
- rebuild
- reenable curl support
* Tue Aug 1 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.5-1
- update to 1.4.5, fixing additional size overflows in packet parsing (#200904,
CVE-2006-3746)
- temporarily disable curl support again
* Fri Jul 28 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.4.90-1
- update to 1.4.5rc1 to check for build problems, but mark it as 1.4.4.90
to avoid looking "newer" than the eventual 1.4.5
- because we call aclocal, buildrequire gettext-devel to get AM_GNU_GETTEXT
* Thu Jul 20 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.4-7
- add BuildPrereq on curl-devel to get curl's ipv6 support (#198375)
* Wed Jul 12 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.4-6
- fix a cast in gpgkeys_hkp to avoid tripping stack smashing or buffer overflow
detection (#198612)
* Wed Jul 12 2006 Jesse Keating <jkeating at redhat.com> - 1.4.4-5.1
- rebuild
* Wed Jul 5 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.4-5
- try again using per-platform buildprereq (jkeating)
* Wed Jul 5 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.4-4
- buildprereq libusb-devel, so that we get CCID support back (#197450)
* Mon Jun 26 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.4-3
- rebuild
* Mon Jun 26 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.4-2
- rebuild
* Mon Jun 26 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.4-1
- update to 1.4.4
* Tue Jun 20 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.3-5
- rebuild
* Tue Jun 20 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.3-4
- add patch from upstream to fix CVE-2006-3082 (#195946)
* Tue Apr 11 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.3-3
- rebuild
* Tue Apr 11 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.3-2
- apply patch from David Shaw to try multiple defaults if the the photo-viewer
option isn't set (fixes #187880)
* Fri Mar 10 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.3-1
- update to 1.4.3
* Fri Mar 10 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.2.2-2
- rebuild
* Fri Mar 10 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.2.2-1
- update to 1.4.2.2 to fix detection of unsigned data (CVE-2006-0049, #185111)
* Mon Feb 20 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.2.1-4
- rebuild
* Mon Feb 20 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.2.1-3
- add patch from David Shaw to fix error reading keyrings created with older
versions of GnuPG (Enrico Scholz, #182163)
* Wed Feb 15 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.2.1-2
- rebuild
* Wed Feb 15 2006 Nalin Dahyabhai <nalin at redhat.com> - 1.4.2.1-1
- update to 1.4.2.1 (fixes CVE-2006-0455)
* Fri Feb 10 2006 Jesse Keating <jkeating at redhat.com> - 1.4.2-3.2.1
- bump again for double-long bug on ppc(64)
* Tue Feb 7 2006 Jesse Keating <jkeating at redhat.com> - 1.4.2-3.2
- rebuilt for new gcc4.1 snapshot and glibc changes
* Fri Dec 9 2005 Jesse Keating <jkeating at redhat.com>
- rebuilt
* Tue Aug 9 2005 Nalin Dahyabhai <nalin at redhat.com> 1.4.2-3
- don't override libexecdir any more; we don't need to (#165462)
* Thu Aug 4 2005 Nalin Dahyabhai <nalin at redhat.com> 1.4.2-2
- pull in David Shaw's fix for key generation in batch mode
* Fri Jul 29 2005 Nalin Dahyabhai <nalin at redhat.com>
- change %post to check if the info files are there before attempting to
add or remove them from the info index (#91641)
* Wed Jul 27 2005 Nalin Dahyabhai <nalin at redhat.com> 1.4.2-1
- update to 1.4.2
* Thu May 5 2005 Nalin Dahyabhai <nalin at redhat.com> 1.4.1-3
- fix the execstack problem correctly this time (arjanv)
* Thu Apr 28 2005 Nalin Dahyabhai <nalin at redhat.com> 1.4.1-2
- add -Wa,--noexecstack back to CFLAGS when invoking configure, the
--enable-noexecstack flag only seems to affect asm modules
* Wed Mar 16 2005 Nalin Dahyabhai <nalin at redhat.com> 1.4.1-1
- update to 1.4.1
* Tue Mar 8 2005 Nalin Dahyabhai <nalin at redhat.com> 1.4.0-2
- build asm modules with -Wa,--noexecstack
* Mon Jan 24 2005 Nalin Dahyabhai <nalin at redhat.com> 1.4.0-1
- comment out libusb-devel req for now so that we can build
- build the mpi asm modules with gcc, not a cpp/as setup so that we don't end
up with text relocations in the resulting binaries (#145836)
* Wed Dec 22 2004 Nalin Dahyabhai <nalin at redhat.com>
- update to 1.4.0
* Mon Nov 1 2004 Nalin Dahyabhai <nalin at redhat.com>
- add a pile of buildprereq
* Mon Nov 1 2004 Robert Scheck <redhat at linuxnetz.de> 1.2.6-2
- set LANG=C before running shm coprocessing build-time check (#129873)
* Thu Aug 26 2004 Nalin Dahyabhai <nalin at redhat.com> 1.2.6-1
- update to 1.2.6
* Tue Jul 27 2004 Nalin Dahyabhai <nalin at redhat.com>
- update to 1.2.5
- reenable optimization on ppc64
* Tue Jun 15 2004 Elliot Lee <sopwith at redhat.com>
- rebuilt
* Tue Mar 2 2004 Elliot Lee <sopwith at redhat.com>
- rebuilt
* Fri Feb 13 2004 Elliot Lee <sopwith at redhat.com>
- rebuilt
* Fri Feb 6 2004 Nalin Dahyabhai <nalin at redhat.com> 1.2.4-1
- update to 1.2.4, dropping separate ElGamal disabling patch
* Fri Dec 12 2003 Nalin Dahyabhai <nalin at redhat.com> 1.2.3-3
- rebuild
* Mon Dec 1 2003 Nalin Dahyabhai <nalin at redhat.com> 1.2.3-2
- incorporate patch from gnupg-announce which removes the ability to create
ElGamal encrypt+sign keys or to sign messages with such keys
* Mon Oct 27 2003 Nalin Dahyabhai <nalin at redhat.com> 1.2.3-1
- use -fPIE instead of -fpie because some arches need it
* Mon Oct 27 2003 Nalin Dahyabhai <nalin at redhat.com>
- build gnupg as a position-independent executable (Arjan van de Ven)
* Mon Aug 25 2003 Nalin Dahyabhai <nalin at redhat.com>
- add Werner's key as a source file
* Fri Aug 22 2003 Nalin Dahyabhai <nalin at redhat.com>
- update to 1.2.3
* Thu Jun 19 2003 Nalin Dahyabhai <nalin at redhat.com> 1.2.2-3
- disable asm and optimization on ppc64
* Fri Jun 13 2003 Nalin Dahyabhai <nalin at redhat.com>
- add a build-time check to ensure that shm coprocessing was enabled
* Wed Jun 4 2003 Elliot Lee <sopwith at redhat.com>
- rebuilt
* Mon May 5 2003 Nalin Dahyabhai <nalin at redhat.com> 1.2.2-1
- update to 1.2.2, fixing CAN-2003-0255
* Thu May 1 2003 Elliot Lee <sopwith at redhat.com> 1.2.1-5
- Add ppc64 patch to fix up global symbol names in assembly
* Fri Feb 28 2003 Kevin Sonney <ksonney at redhat.com> 1.2.1-4
- remove autoconf call on sparc
* Fri Feb 7 2003 Nalin Dahyabhai <nalin at redhat.com> 1.2.1-3
- modify g10defs to look for helpers in libexecdir, because that's where they
get installed, per gnupg-users
- actually drop updates for 1.0.7 which are no longer needed for 1.2.1
* Wed Jan 22 2003 Tim Powers <timp at redhat.com>
- rebuilt
* Mon Oct 28 2002 Nalin Dahyabhai <nalin at redhat.com> 1.2.1-1
- update to 1.2.1
* Tue Sep 24 2002 Nalin Dahyabhai <nalin at redhat.com> 1.2.0-1
- update to 1.2.0
- stop stripping files manually, let the buildroot policies handle it
- add translations updates ca and fr
* Tue Aug 27 2002 Nalin Dahyabhai <nalin at redhat.com> 1.0.7-6
- rebuild
* Wed Jul 24 2002 Nalin Dahyabhai <nalin at redhat.com> 1.0.7-5
- specify a menu entry when installing info pages
* Wed Jul 24 2002 Nalin Dahyabhai <nalin at redhat.com> 1.0.7-4
- add and install info pages (#67931)
- don't include two copies of the faq, add new doc files (#67931)
* Fri Jun 21 2002 Tim Powers <timp at redhat.com>
- automated rebuild
* Sun May 26 2002 Tim Powers <timp at redhat.com>
- automated rebuild
* Tue Apr 30 2002 Nalin Dahyabhai <nalin at redhat.com> 1.0.7-1
- update to 1.0.7
* Fri Feb 22 2002 Nalin Dahyabhai <nalin at redhat.com> 1.0.6-5
- rebuild
* Wed Jan 23 2002 Nalin Dahyabhai <nalin at redhat.com> 1.0.6-4
- make the codeset patch unconditional
* Thu Aug 9 2001 Nalin Dahyabhai <nalin at redhat.com> 1.0.6-3
- set message output encoding to match the message encoding, based on a
patch by goeran at uddeborg.pp.se (#49182)
* Sun Jun 24 2001 Elliot Lee <sopwith at redhat.com> 1.0.6-2
- Bump release + rebuild.
* Wed May 30 2001 Nalin Dahyabhai <nalin at redhat.com> 1.0.6-1
- update to 1.0.6, fixes format string exploit
* Mon Apr 30 2001 Nalin Dahyabhai <nalin at redhat.com>
- update to 1.0.5, dropping various patches
* Tue Feb 27 2001 Trond Eivind Glomsrød <teg at redhat.com>
- langify
- strip binaries in /usr/lib/gnupg
* Tue Feb 27 2001 Nalin Dahyabhai <nalin at redhat.com>
- fix the group
* Mon Dec 18 2000 Nalin Dahyabhai <nalin at redhat.com>
- go with this version -- 1.0.4c includes a lot of changes beyond just the
two security fixes
* Thu Dec 14 2000 Nalin Dahyabhai <nalin at redhat.com>
- add the --allow-secret-key-import patch from CVS in case we don't get a 1.0.5
* Fri Dec 8 2000 Nalin Dahyabhai <nalin at redhat.com>
- build as an errata for 7
* Fri Dec 1 2000 Nalin Dahyabhai <nalin at redhat.com>
- add a security patch for a problem with detached signature verification...
might hold off for an impending 1.0.5, though
* Thu Oct 19 2000 Nalin Dahyabhai <nalin at redhat.com>
- fix a bug preventing creation of .gnupg directories
* Wed Oct 18 2000 Nalin Dahyabhai <nalin at redhat.com>
- add patch to recognize AES signatures properly (#19312)
- add gpgv to the package
* Tue Oct 17 2000 Nalin Dahyabhai <nalin at redhat.com>
- update to 1.0.4 to get security fix
* Tue Oct 10 2000 Nalin Dahyabhai <nalin at redhat.com>
- fix man page typos (#18797)
* Thu Sep 21 2000 Nalin Dahyabhai <nalin at redhat.com>
- update to 1.0.3
- switch to bundled copy of the man page
* Wed Aug 30 2000 Matt Wilson <msw at redhat.com>
- rebuild to cope with glibc locale binary incompatibility, again
* Wed Aug 16 2000 Nalin Dahyabhai <nalin at redhat.com>
- revert locale patch (#16222)
* Tue Aug 15 2000 Nalin Dahyabhai <nalin at redhat.com>
- set all locale data instead of LC_MESSAGES and LC_TIME (#16222)
* Sun Jul 23 2000 Nalin Dahyabhai <nalin at redhat.com>
- update to 1.0.2
* Wed Jul 19 2000 Jakub Jelinek <jakub at redhat.com>
- rebuild to cope with glibc locale binary incompatibility
* Thu Jul 13 2000 Prospector <bugzilla at redhat.com>
- automatic rebuild
* Wed Jul 12 2000 Nalin Dahyabhai <nalin at redhat.com>
- include lspgpot (#13772)
* Mon Jun 5 2000 Nalin Dahyabhai <nalin at redhat.com>
- rebuild in new build environment
* Fri Feb 18 2000 Bill Nottingham <notting at redhat.com>
- build of 1.0.1
* Fri Sep 10 1999 Cristian Gafton <gafton at redhat.com>
- version 1.0.0 build for 6.1us
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/6/
c626ce84e9d2dc39c863efbbdf879330d5fe74fb SRPMS/gnupg-1.4.6-2.src.rpm
c626ce84e9d2dc39c863efbbdf879330d5fe74fb noarch/gnupg-1.4.6-2.src.rpm
682cbd00aabbb225d748bdb237fde51b3ef25b06 ppc/gnupg-1.4.6-2.ppc.rpm
ebbeef080fff37991929bc6d727dad8dec0287dc ppc/debug/gnupg-debuginfo-1.4.6-2.ppc.rpm
a8e6cfd56037a585d9d4f4a745e17be59bcab206 x86_64/gnupg-1.4.6-2.x86_64.rpm
786c668d1c45a02f73af311832e70d0cae81c738 x86_64/debug/gnupg-debuginfo-1.4.6-2.x86_64.rpm
1e442eca4432f340c53ccca22b620c009b8aae08 i386/gnupg-1.4.6-2.i386.rpm
e99717a999fb025e2d4635351a7618c51613b4f0 i386/debug/gnupg-debuginfo-1.4.6-2.i386.rpm
This update can be installed with the 'yum' update program. Use 'yum update
package-name' at the command line. For more information, refer to 'Managing
Software with yum,' available at http://fedora.redhat.com/docs/yum/.
---------------------------------------------------------------------
More information about the package-announce
mailing list