NOW READ THIS
("Security Advisory")

Go Back

---

Submitted by: Bill Hickey
NCVA List Master

NRT-0079 Vulnerability found in widely used email encryption program:

A problem related to a widely used open-source cryptography technology could let micreants tamper with digitally signed and encrypted emails. The problem lies in how certain email applications display messages signed using the GNU Privacy Guard, also known as GnuPG and GPG, the GnuPG group said in a 6MAR security alert. It may not be possible to identify which part of a message is actually signed if GPG is not used correctly. IT is possible to insert additional text before or after a signed, or signed and encrypted, OpenPGP message and make the user believe that this additional text is also covered by the signature. This poses a risk to those who use the cryptographic technology to authenticate or encrypt email messages. A similar problem occurred last year with the GnuPG technology. GnuPG is a free replacement for the PRetty Good Privacy (PGP) cryptographic technology. This latest issue affects several open-source email clients, including KDE's KMail, Novell's Evolution, Sylpheed, Mutt, GnuMail.org, and Enigmail, and extension to the Mozilla mail clients.

(CNET News 07MAR07, http://news.zdnet.com, 07MAR07)

Last Modified: Wednesday, 14-Mar-2007 10:59:17 EST