         Release Notes for PGP Certificate Server 
              Version 2.5.1 for Solaris
     Copyright (c) 1990-2000 by Networks Associates 
     Technology, Inc., and its Affiliated Companies. 
                 All Rights Reserved.

     ----------------------------------------------
     -                HOTFIX 4                    -
     ----------------------------------------------


Thank you for using Network Associates' products.
This What's New file contains important information
regarding this HotFix release. Network Associates
strongly recommends that you read this entire
document.

Network Associates welcomes your comments and
suggestions. Please use the information provided in
this file to contact us.

Warning: Export of this software may be restricted
by the U.S. Government.


___________________
WHAT'S IN THIS FILE

- The Purpose of this HotFix
- What this HotFix Does
- Files Included with this HotFix
- Installation
- Issues Resolved in Previous HotFixes
- Contacting Network Associates
- Copyright and Trademark Attributions


__________________________
THE PURPOSE OF THIS HOTFIX

This HotFix corrects a security-related bug with
Additional Decryption Keys (ADKs) that may allow
sophisticated attackers to add unauthorized ADK 
key IDs to the unhashed areas of PGP public keys.

For more information about this bug, please 
review the PGP ADK Security Advisory available
on www.pgp.com.

  Note: HotFix 4 incorporates HotFix 1, 2 and 3 
  for pgpcertd. This HotFix (4) does not 
  incorporate the pgprepd HotFix 1.


_____________________
WHAT THIS HOTFIX DOES

This HotFix installs an updated pgpcertd file, 
which requires that ADK and other subpackets
be within the hashed portion of the 
self-signature subpacket.

Once the HotFix is installed on the PGP Certificate
Server, the server inspects keys as they are added
to the server and removes any signatures containing
the unhashed subpackets described in the 
advisory. 

The HotFix installation process also removes any
signatures containing such subpackets from keys
already residing on the server.


_______________________________
FILES INCLUDED WITH THIS HOTFIX

This HotFix consists of the following files:

          pgpcertd = PGP Certificate Server daemon

         pgpexport = PGP Certificate Server database 
                     export utility
 
        HOTFIX.TXT = (This file.)


____________
INSTALLATION

To install this HotFix, follow the steps below.

* INSTALLATION STEPS *

Installing this HotFix is a manual process in which
you replace the existing pgpcertd file on your 
machine with the one included in this HotFix.

1.  Stop the PGP Certificate Server.

2.  Extract the HotFix zip file's contents into the 
    /opt/PGPcertd/bin directory.

3.  Change the permissions on these files to executable, i.e. 
    chmod u+x pgpcertd pgpexport

4.  Use PGPexport to export the database:   
    ./pgpexport ../data dump.pgp

5.  Delete the data files in the data directory.
     rm ../data/*

6.  Recreate the database.
    ./pgpcertd -n

7.  Restart the server.
    ./pgpcertd

8.  Re-import the database.
    ./pgpimport dump.pgp ldap://localhost

9.  Re-disable any keys that were disabled.

10. To complete the installation of the HotFix,
    restart the PGP Certificate Server.


* REMOVING THIS HOTFIX *

To remove this HotFix from your computer, reinstall your
original PGP Certificate Server 2.5.1 software.

NOTE: Network Associates recommends that you do NOT remove
      the HotFix file from your PGP installation
      once you have installed it. If you reinstall your
      PGP Certificate Server 2.5.1 product, Network
      Associates recommends that you also reinstall this
      HotFix and any HotFixes you may have installed 
      previously.

____________________________________
ISSUES RESOLVED IN PREVIOUS HOTFIXES

*  Fixed a problem with the indexing of the
   Disabled attribute on keys. On some
   installations, this affected the ability to
   find disabled keys on the server using the
   single search term "key status is disabled."

*  Resolved a replication looping issue, which
   may have occurred with two-way replication
   on PGP Certificate Server 2.5.1 when revoked
   keys revoked by a designated revoker were added
   to the server.

*  Added additional logging information for Delete
   operations, so that the full list of deleted keys
   is displayed in the log.

*  The released version of the Certificate Server,
   when configured with a single MustSigID and the
   TrimUsers and TrimSigs features enabled, would
   prevent that MustSigID key from being uploaded
   to the server. Added the ability for the server to
   accept that key.
 
*  Resolved an issue with the indexing of certain 
   revoked keys. A problem existed when
   performing a KeyStatus-is-revoked search.

*  Resolved a potential looping issue which may have
   occurred if the replication daemon was down and a
   key was added to and then deleted from the 
   server, followed by re-starting the replication
   daemon.

*  Resolved a potential Denial of Service vulnerability
   in PGP Certificate Server 2.5.1. This may have
   occurred when devices attempted to connect
   to the PGP Certificate Server management port
   (port 4000 by default) if incoming DNS/NetBIOS
   traffic was blocked to the PGP Certificate Server.

*  Resolved a potential Denial of Service vulnerability
   in PGP Certificate Server 2.5.1. This may
   have occurred when devices attempted to connect to
   the PGP Replication port (port 5000 by default) if
   incoming DNS/NetBIOS traffic was blocked to the PGP
   Certificate Server.

*  Resolved a replication looping issue which may have
   occurred with two-way replication on PGP Certificate
   Server 2.5.1 when revoked keys were added to the
   server.


_____________________________
CONTACTING NETWORK ASSOCIATES

You may direct all questions, comments, or requests 
concerning the software you purchased, your registration 
status, or similar issues to the Network Associates 
Customer Service department at the addresses or phone 
numbers listed below.

Contact the Network Associates Customer Service department
between 8:00 a.m. and 8:00 p.m. Central Time, Monday 
through Friday, at:

     Network Associates Customer Service
     4099 McEwen Road, Suite 500
     Dallas, Texas 75244

     Contact information for corporate-licensed
     customers:

     Phone:  (972) 308-9960 
     Email:  services_corporate_division@nai.com
     Web:    http://support.nai.com

     Contact information for retail licensed
     customers:

     Phone:  (972) 308-9960
     Email:  cust_care@nai.com
     Web:    http://www.pgp.com


Send correspondence to the following
Network Associates location:

     Network Associates Corporate Headquarters
     3965 Freedom Circle
     McCandless Towers
     Santa Clara, CA 95054

Or, you can receive online assistance through
any of the following resources:

 1.  World Wide Web:  http://support.nai.com

 2.  Telephone technical support

     Corporate-licensed customers: (972) 308-9960

     Contact Network Associates Customer Service for 
     information about technical support 
     subscription plans.

     Retail-licensed customers:    (972) 855-7044


To provide the answers you need quickly and
efficiently, the Network Associates technical
support staff needs some information about your 
computer and your software. Please have this 
information ready when you call:

 - Program name and version number
 - Computer brand and model
 - Any additional hardware or peripherals
   connected to your computer
 - Operating system type and version numbers
 - Network name, operating system, and version
 - Network card installed, where applicable
 - Modem manufacturer, model, and bits-per-
   second rate, where applicable
 - Relevant browsers or applications and their
   version numbers, where applicable
 - How to reproduce your problem: when it
   occurs, whether you can reproduce it
   regularly, and under what conditions
 - Information needed to contact you by voice,
   fax, or email



*FOR PRODUCT UPGRADES*

Network Associates has a worldwide range of
partnerships and reseller relationships with
hundreds of independent vendors, each of which
can provide you with consulting services, sales
advice, and product support for Network
Associates software. To find a reseller near
your location, see the RESELLER.TXT file
located on your product CD-ROM or installed on
your hard disk. For assistance in locating a
local reseller, you can also contact Network
Associates Customer Service at (972) 
308-9960.


*FOR REPORTING PROBLEMS*

Network Associates prides itself on delivering
a high-quality product. If you find any
problems, please take a moment to review the
contents of this file. If the problem you've
encountered appears in the Known Issues section
of this README.TXT file, Network Associates is
already aware of the problem, and you need not
report it.

If you find any feature that does not appear to
function properly on your system, or if you
believe an application would benefit greatly
from enhancement, please contact Network
Associates or one of its resellers with your
suggestions or concerns.


*FOR ON-SITE TRAINING INFORMATION*

Contact Network Associates Customer Service at
(800) 338-8754.


____________________________________
COPYRIGHT AND TRADEMARK ATTRIBUTIONS

Copyright (c) 1999 Networks Associates Technology, Inc.
All Rights Reserved. No part of this publication may be
reproduced, transmitted, transcribed, stored in a retrieval
system, or translated into any language in any form or by
any means without the written permission of Networks
Associates Technology, Inc., or its suppliers or affiliate
companies.

* TRADEMARKS *

* ActiveHelp, Bomb Shelter, Building a World of Trust,
CipherLink, Clean-Up, Cloaking, CNX, Compass 7, CyberCop,
CyberMedia, Data Security Letter, Discover, Distributed
Sniffer System, Dr Solomons, Enterprise Secure Cast,
First Aid, ForceField, Gauntlet, GMT, GroupShield,
HelpDesk, Hunter, ISDN Tel/Scope, LM 1, LANGuru, Leading
Help Desk Technology, Magic Solutions, MagicSpy, MagicTree,
Magic University, MagicWin, MagicWord, McAfee, McAfee
Associates, MoneyMagic, More Power To You, Multimedia
Cloaking, NetCrypto, NetOctopus, NetRoom, NetScan,
Net Shield, NetShield, NetStalker, Net Tools, Network
Associates, Network General, Network Uptime!, NetXRay,
Nuts & Bolts, PC Medic, PCNotary, PGP, PGP (Pretty Good
Privacy), PocketScope, Pop-Up, PowerTelnet, Pretty Good
Privacy, PrimeSupport, RecoverKey, RecoverKey-International, 
ReportMagic, RingFence, Router PM, Safe & Sound, SalesMagic, 
SecureCast, Service Level Manager, ServiceMagic, Site Meter,
Sniffer, SniffMaster, SniffNet, Stalker, Statistical
Information Retrieval (SIR), SupportMagic, Switch PM,
TeleSniffer, TIS, TMach, TMeg, Total Network Security,
Total Network Visibility, Total Service Desk, Total Virus
Defense, T-POD, Trusted Mach, Trusted Mail, Uninstaller,
Virex, Virex-PC, Virus Forum, ViruScan, VirusScan, VShield,
WebScan, WebShield, WebSniffer, WebStalker WebWall, and
ZAC 2000 are registered trademarks of Network Associates
and/or its affiliates in the US and/or other countries.
All other registered and unregistered trademarks in this
document are the sole property of their respective owners.

* LICENSE AGREEMENT *

NOTICE TO ALL USERS: FOR THE SPECIFIC TERMS OF YOUR LICENSE
TO USE THE SOFTWARE THAT THIS DOCUMENTATION DESCRIBES,
CONSULT THE README.1ST, LICENSE.TXT, OR OTHER LICENSE
DOCUMENT THAT ACCOMPANIES YOUR SOFTWARE, EITHER AS A TEXT
FILE OR AS PART OF THE SOFTWARE PACKAGING. IF YOU DO NOT
AGREE TO ALL OF THE TERMS SET FORTH THEREIN, DO NOT INSTALL
THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO
THE PLACE OF PURCHASE FOR A FULL REFUND.