FreeBSD : gnupg -- false positive signature verification (63fe4189-9f97-11da-ac32-0001020eed82)

This script is Copyright (C) 2006-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Werner Koch reports :

The Gentoo project identified a security related bug in GnuPG. When
using any current version of GnuPG for unattended signature
verification (e.g. by scripts and mail programs), false positive
signature verification of detached signatures may occur.

This problem affects the tool *gpgv*, as well as using 'gpg --verify'
to imitate gpgv, if only the exit code of the process is used to
decide whether a detached signature is valid. This is a plausible mode
of operation for gpgv.

If, as suggested, the --status-fd generated output is used to decide
whether a signature is valid, no problem exists. In particular
applications making use of the GPGME library[2] are not affected.

See also :

http://marc.info/?l=gnupg-devel&m=113999098729114
http://www.nessus.org/u?4bbf87ef

Solution :

Update the affected package.

Risk factor :

Medium / CVSS Base Score : 4.6
(CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 21442 (freebsd_pkg_63fe41899f9711daac320001020eed82.nasl)

Bugtraq ID:

CVE ID: CVE-2006-0455

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now