Network Associates, Inc.
We at NAI/PGP Security regret this important bug in the ADK feature
that has been described on various Internet postings today (Thursday
24 Aug). We were made aware of this bug in PGP early this morning.
We are responding as fast as we can, and expect to have new 6.5.x
releases out to fix this bug late Thursday evening. The MIT web
site should have a new PGP 6.5.x freeware release early Friday, and
the NAI/PGP web site should have patches out for the commercial
releases at about the same time. As of this afternoon (Thursday),
the PGP key server at PGP already filters out keys with the bogus
ADK packets. We expect to have fixes available for the other key
servers that run our software by tomorrow. We have also alerted
the other vendors that make PGP key server software to the problem,
and expect Highware/Veridis in Belgium to have their key servers
filtering keys the same way by Friday.
The fixes that we are releasing for the PGP client software
filters out the offending ADK packets. We already warn the users
whenever they are about to use an ADK, even in the normal case.
We will have new information as soon as it becomes available at
19:00 PDT Thursday 24 Aug 2000
A signed version of this statement is available at
The CERT Coordination Center thanks Ralf Senderek for bringing this
problem to light and Network Associates for developing a solution and
assisting in the preparation of this advisory.
Authors: Cory Cohen, Shawn Hernan, Jeff Havrilla, and Jeffrey P. Lanza.
Graphics developed by Matt DeSantis.
Feedback on this advisory is appreciated.
Copyright 2000 Carnegie Mellon University.
August 24, 2000: Initial release
August 25, 2000: Fixed some typographical and semantic errors in the Impact section.
August 29, 2000: Added information about the GNU Privacy Guard, GPG
September 28, 2000: Corrected misspelled name in author section