Description
PGP Corporate Desktop before 7.1, Personal Security before 7.0.3, Freeware before 7.0.3, and E-Business Server before 7.1 does not properly display when invalid userID's are used to sign a message, which could allow an attacker to make the user believe that the document has been signed by a trusted third party by adding a second, invalid user ID to a key which has already been signed by the third party, aka the "PGPsdk Key Validity Vulnerability."
Products
- PGP PGP Corporate Desktop 7.1
- PGP PGP E-Business Server 6.5.8
- PGP PGP E-Business Server 7.0.4
- PGP PGP E-Business Server 7.1
- PGP PGP Freeware 7.0.3
- PGP PGP Personal Security 7.0.3
- PGP PGP 5.0
- PGP PGP 6.0.2
Questions to Ask Vendors
- Can you confirm whether your systems are affected by CVE-2001-1016, and if so, what steps are you currently taking to mitigate this vulnerability?
- What is your estimated timeline for fully resolving CVE-2001-1016 in your products or services, and how will you communicate updates on this issue to us as your customer?
Recommended Actions
- Check out the advisory links provided below.
References