Updated:  October 10, 2000

Status

Affected

Vendor Statement

We at NAI/PGP Security regret this important bug in the ADK feature that has been described on various Internet postings today (Thursday 24 Aug). We were made aware of this bug in PGP early this morning. We are responding as fast as we can, and expect to have new 6.5.x releases out to fix this bug late Thursday evening. The MIT web site should have a new PGP 6.5.x freeware release early Friday, and the NAI/PGP web site should have patches out for the commercial releases at about the same time. As of this afternoon (Thursday), the PGP key server at PGP already filters out keys with the bogus ADK packets. We expect to have fixes available for the other key servers that run our software by tomorrow. We have also alerted the other vendors that make PGP key server software to the problem, and expect Highware/Veridis in Belgium to have their key servers filtering keys the same way by Friday. The fixes that we are releasing for the PGP client software filters out the offending ADK packets. We already warn the users whenever they are about to use an ADK, even in the normal case. We will have new information as soon as it becomes available at http://www.pgp.com. Philip Zimmermann prz@pgp.com 19:00 PDT Thursday 24 Aug 2000

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The following systems are affected by this vulnerability: PGP versions 5.5.x through 6.5.3, domestic and international