|
Multiple Vendor PGP5 Automatic Key Generation Routine Vulnerability
Solution: Patching line 1324 of src/lib/ttyui/pgpUserIO.c to look like: read(fd, &RandBuf, count); will fix this vulnerability. As there is no error checking in place in that function, it will have no negative impact; ideally, this read should be checked to ensure a byte was actually returned, or the potential for another vulnerability exists. From NAI Security Advisory: Users who generated keys in the manner described above are strongly urged to do the following: - Revoke and no longer use keys suspected to have this problem - Generate new public/private keypairs with entropy collected from users' typing and/or mouse movements - Re-encrypt any data with the newly generated keypairs that is currently encrypted with keys suspected to have this problem - Re-sign any data with the newly generated keypairs, if required Users are also urged to upgrade to the latest releases of PGP, as PGP 5.0 products have not been officially supported by Network Associates since early 1999, or distributed by Network Associates since June 1998. PGPi PGPi 5.0 i
|
|
|
Privacy Statement |
