This week was mostly slow. We're getting geared up for the Red Hat Enterprise Linux 5 release, so the lull in vulnerabilities was welcome. Fedora 7 is also on the horizon. I need to start getting the pieces in place for the Fedora Security Response Team. There is technically a team, but it's rather unorganized right now. Fedora 7 will be the first Fedora release to sport its very own security team. I'll fill in the details as they become available. right now there isn't much to say.
Security Updates
- thunderbird
Fixed in FC5, FC6
- ekiga
Fixed in FC5, FC6
- gnupg
Fixed in Red Hat Enterprise Linux 2.1, 3, and 4
While this update was for gnupg, there wasn't technically anything wrong with gnupg. Many mail clients call gnupg incorrectly, which can allow an attacker to spoof the signature of a message. Since fixing all the vulnerable mail clients would be a lot of work, it was easier to modify how gnupg handles signed content. The problem was that a message could be constructed using already existing signed content, plus the payload. The mail client could then display the message as one large block of verified content.
