漏洞信息详情
多个供应商PGP5自动密钥生成程序漏洞
- CNNVD编号:CNNVD-200005-090
- 危害等级: 低危
- CVE编号: CVE-2000-0445
- 漏洞类型: 设计错误
- 发布时间: 2000-05-24
- 威胁类型: 本地
- 更新时间: 2006-09-22
- 厂 商: pgp
- 漏洞来源: This vulnerability...
漏洞简介
Unix系统中PGP 5.x 的pgpk命令使用不充分的非交互式密钥随机数据源。此漏洞可能产生可预测密钥。
漏洞公告
Patching line 1324 of src/lib/ttyui/pgpUserIO.c to look like: read(fd, &RandBuf, count); will fix this vulnerability. As there is no error checking in place in that function, it will have no negative impact; ideally, this read should be checked to ensure a byte was actually returned, or the potential for another vulnerability exists. From NAI Security Advisory: Users who generated keys in the manner described above are strongly urged to do the following: - Revoke and no longer use keys suspected to have this problem - Generate new public/private keypairs with entropy collected from users' typing and/or mouse movements - Re-encrypt any data with the newly generated keypairs that is currently encrypted with keys suspected to have this problem - Re-sign any data with the newly generated keypairs, if required Users are also urged to upgrade to the latest releases of PGP, as PGP 5.0 products have not been officially supported by Network Associates since early 1999, or distributed by Network Associates since June 1998. PGPi PGPi 5.0 i
- PGPi pgpi 6.5 ftp://ftp.pgpi.com/pub/pgp/6.5/
参考网址
来源:CERT/CC Advisory: CA-2000-09 名称: CA-2000-09 链接:http://www.cert.org/advisories/CA-2000-09.HTML 来源: BID 名称: 1251 链接:http://www.securityfocus.com/bid/1251 来源: OSVDB 名称: 1355 链接:http://www.osvdb.org/1355 来源: BUGTRAQ 名称: 20000523 Key Generation Security Flaw in PGP 5.0 链接:http://archives.neohapsis.com/archives/bugtraq/2000-05/0273.HTML
受影响实体
- Pgp Pgp:5.0_linux
- Pgp Pgp:5.0i
- Pgp Pgp:6.5_linux
补丁
暂无
评论