Release Notes for PGP Certificate Server Version 2.5.1 for Windows NT Copyright (c) 1990-2000 by Networks Associates Technology, Inc., and its Affiliated Companies. All Rights Reserved. ---------------------------------------------- - HOTFIX 4 - ---------------------------------------------- Thank you for using Network Associates' products. This What's New file contains important information regarding this HotFix release. Network Associates strongly recommends that you read this entire document. Network Associates welcomes your comments and suggestions. Please use the information provided in this file to contact us. Warning: Export of this software may be restricted by the U.S. Government. ___________________ WHAT'S IN THIS FILE - The Purpose of this HotFix - What this HotFix Does - Files Included with this HotFix - Installation - Issues Resolved in Previous HotFixes - Contacting Network Associates - Copyright and Trademark Attributions __________________________ THE PURPOSE OF THIS HOTFIX This HotFix corrects a security-related bug with Additional Decryption Keys (ADKs) that may allow sophisticated attackers to add unauthorized ADK key IDs to the unhashed areas of PGP public keys. For more information about this bug, please review the PGP ADK Security Advisory available on www.pgp.com. Note: HotFix 4 incorporates HotFix 1, 2 and 3 for pgpcertd. This HotFix (4) does not incorporate the pgprepd HotFix 1. The issues resolved in the previous HotFix releases are listed below. _____________________ WHAT THIS HOTFIX DOES For PGP Certificate Server 2.5.1, this HotFix includes an updated PGP_SDK.DLL and PGPCERTD.EXE, which requires that ADK and other subpackets be within the hashed portion of the self-signature subpacket. Once the HotFix is installed on the PGP Certificate Server, the server inspects keys as they are added to the server and removes any signatures containing the unhashed subpackets described in the advisory. The HotFix installation process also removes any signatures containing such subpackets from keys already residing on the server. _______________________________ FILES INCLUDED WITH THIS HOTFIX This HotFix consists of the following files: PGP_SDK.DLL = PGP core cryptographic library. PGPCERTD.EXE = PGP Certificate Server executable HOTFIX.TXT = (This file.) ____________ INSTALLATION To install this HotFix, follow the steps below. * INSTALLATION STEPS * Installing this HotFix is a manual process in which you replace the existing PGP_SDK.DLL file on your machine with the one included in this HotFix. 1. Close all running applications and stop the PGP Certificate Server and Replication Engine services 2 Replace the old PGP_SDK.DLL on your machine with the PGP_SDK.DLL included with this HotFix. This file can typically be found in the following directory: C:\winnt\system32 Replace the old PGPCERTD.EXE on your machine with the PGPCERTD.EXE included with this HotFix. This file can typically be found in the following directory: c:\Program Files\Network Associates\PGPcertd\bin Note: If you get an error message telling you that the file is 'locked' or 'in use', you must set the Windows NT Services for manual startup, and restart the system in order to complete this step. Be sure to reset the original startup settings once this step is completed. 3. At a Windows command prompt, change to your installation's bin\ directory: cd c:\Program Files\Network Associates\PGPcertd\bin 4. Use PGPexport to export the database: pgpexport ..\data dump.pgp 5. Delete the data files in the data directory: del ..\data\*.* 6. Recreate the database: pgpcertd -n 7. Re-import the database: pgpimport dump.pgp ldap://localhost 8. Re-disable any keys that were disabled. 9. To complete the installation of the HotFix, restart your computer. * REMOVING THIS HOTFIX * To remove this HotFix from your computer, reinstall your original PGP Certificate Server 2.5.1 software. NOTE: Network Associates recommends that you do NOT remove the HotFix file from your PGP installation once you have installed it. If you reinstall your PGP Certificate Server 2.5.1 product, Network Associates recommends that you also reinstall this HotFix. ____________________________________ ISSUES RESOLVED IN PREVIOUS HOTFIXES * Resolved a replication looping issue, which may have occurred with two-way replication on PGP Certificate Server 2.5.1 when revoked keys revoked by a designated revoker were added to the server. * Added additional logging information for Delete operations, so that the full list of deleted keys is displayed in the log. * The released version of the Certificate Server, when configured with a single MustSigID and the TrimUsers and TrimSigs features enabled, would prevent that MustSigID key from being uploaded to the server. Added the ability for the server to accept that key. * Resolved an issue with the indexing of certain revoked keys. A problem existed when performing a KeyStatus-is-revoked search. * Resolved a potential looping issue which may have occurred if the replication daemon was down and a key was added to and then deleted from the server, followed by re-starting the replication daemon. * Resolved a potential Denial of Service vulnerability in PGP Certificate Server 2.5.1. This may have occurred when devices attempted to connect to the PGP Certificate Server management port (port 4000 by default) if incoming DNS/NetBIOS traffic was blocked to the PGP Certificate Server. * Resolved a potential Denial of Service vulnerability in PGP Certificate Server 2.5.1. This may have occurred when devices attempted to connect to the PGP Replication port (port 5000 by default) if incoming DNS/NetBIOS traffic was blocked to the PGP Certificate Server. * Resolved a replication looping issue which may have occurred with two-way replication on PGP Certificate Server 2.5.1 when revoked keys were added to the server. _____________________________ CONTACTING NETWORK ASSOCIATES You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to the Network Associates Customer Service department at the addresses or phone numbers listed below. Contact the Network Associates Customer Service department between 8:00 a.m. and 8:00 p.m. Central Time, Monday through Friday, at: Network Associates Customer Service 4099 McEwen Road, Suite 500 Dallas, Texas 75244 Contact information for corporate-licensed customers: Phone: (972) 308-9960 Email: services_corporate_division@nai.com Web: http://support.nai.com Contact information for retail licensed customers: Phone: (972) 308-9960 Email: cust_care@nai.com Web: http://www.pgp.com Send correspondence to the following Network Associates location: Network Associates Corporate Headquarters 3965 Freedom Circle McCandless Towers Santa Clara, CA 95054 Or, you can receive online assistance through any of the following resources: 1. World Wide Web: http://support.nai.com 2. Telephone technical support Corporate-licensed customers: (972) 308-9960 Contact Network Associates Customer Service for information about technical support subscription plans. Retail-licensed customers: (972) 855-7044 To provide the answers you need quickly and efficiently, the Network Associates technical support staff needs some information about your computer and your software. Please have this information ready when you call: - Program name and version number - Computer brand and model - Any additional hardware or peripherals connected to your computer - Operating system type and version numbers - Network name, operating system, and version - Network card installed, where applicable - Modem manufacturer, model, and bits-per- second rate, where applicable - Relevant browsers or applications and their version numbers, where applicable - How to reproduce your problem: when it occurs, whether you can reproduce it regularly, and under what conditions - Information needed to contact you by voice, fax, or email *FOR PRODUCT UPGRADES* Network Associates has a worldwide range of partnerships and reseller relationships with hundreds of independent vendors, each of which can provide you with consulting services, sales advice, and product support for Network Associates software. To find a reseller near your location, see the RESELLER.TXT file located on your product CD-ROM or installed on your hard disk. For assistance in locating a local reseller, you can also contact Network Associates Customer Service at (972) 308-9960. *FOR REPORTING PROBLEMS* Network Associates prides itself on delivering a high-quality product. If you find any problems, please take a moment to review the contents of this file. If the problem you've encountered appears in the Known Issues section of this README.TXT file, Network Associates is already aware of the problem, and you need not report it. If you find any feature that does not appear to function properly on your system, or if you believe an application would benefit greatly from enhancement, please contact Network Associates or one of its resellers with your suggestions or concerns. *FOR ON-SITE TRAINING INFORMATION* Contact Network Associates Customer Service at (800) 338-8754. ____________________________________ COPYRIGHT AND TRADEMARK ATTRIBUTIONS Copyright (c) 1999 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Networks Associates Technology, Inc., or its suppliers or affiliate companies. * TRADEMARKS * * ActiveHelp, Bomb Shelter, Building a World of Trust, CipherLink, Clean-Up, Cloaking, CNX, Compass 7, CyberCop, CyberMedia, Data Security Letter, Discover, Distributed Sniffer System, Dr Solomon’s, Enterprise Secure Cast, First Aid, ForceField, Gauntlet, GMT, GroupShield, HelpDesk, Hunter, ISDN Tel/Scope, LM 1, LANGuru, Leading Help Desk Technology, Magic Solutions, MagicSpy, MagicTree, Magic University, MagicWin, MagicWord, McAfee, McAfee Associates, MoneyMagic, More Power To You, Multimedia Cloaking, NetCrypto, NetOctopus, NetRoom, NetScan, Net Shield, NetShield, NetStalker, Net Tools, Network Associates, Network General, Network Uptime!, NetXRay, Nuts & Bolts, PC Medic, PCNotary, PGP, PGP (Pretty Good Privacy), PocketScope, Pop-Up, PowerTelnet, Pretty Good Privacy, PrimeSupport, RecoverKey, RecoverKey-International, ReportMagic, RingFence, Router PM, Safe & Sound, SalesMagic, SecureCast, Service Level Manager, ServiceMagic, Site Meter, Sniffer, SniffMaster, SniffNet, Stalker, Statistical Information Retrieval (SIR), SupportMagic, Switch PM, TeleSniffer, TIS, TMach, TMeg, Total Network Security, Total Network Visibility, Total Service Desk, Total Virus Defense, T-POD, Trusted Mach, Trusted Mail, Uninstaller, Virex, Virex-PC, Virus Forum, ViruScan, VirusScan, VShield, WebScan, WebShield, WebSniffer, WebStalker WebWall, and ZAC 2000 are registered trademarks of Network Associates and/or its affiliates in the US and/or other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. * LICENSE AGREEMENT * NOTICE TO ALL USERS: FOR THE SPECIFIC TERMS OF YOUR LICENSE TO USE THE SOFTWARE THAT THIS DOCUMENTATION DESCRIBES, CONSULT THE README.1ST, LICENSE.TXT, OR OTHER LICENSE DOCUMENT THAT ACCOMPANIES YOUR SOFTWARE, EITHER AS A TEXT FILE OR AS PART OF THE SOFTWARE PACKAGING. IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH THEREIN, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO THE PLACE OF PURCHASE FOR A FULL REFUND.