On 10/05/2013 08:56 AM, Werner Koch wrote: > Hello! > > We are pleased to announce the availability of a new stable GnuPG-1 > release: Version 1.4.15. This is a *security fix* release and all users > are advised to updated to this version. See below for the impact of the > problem.
I'm using Thunderbird with Enigmail. Enigmail is at 1.5.2 (20130913-2148) and gpg is at 1.4.11. Is it best to wait for Enigmail to update, or to update gpg manually? > The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication > and data storage. It is a complete and free replacement of PGP and > can be used to encrypt data and to create digital signatures. It > includes an advanced key management facility, smartcard support and is > compliant with the OpenPGP Internet standard as described by RFC-4880. > > Note that this version is from the GnuPG-1 series and thus smaller than > those from the GnuPG-2 series, easier to build, and also better portable > to ancient platforms. In contrast to GnuPG-2 (e.g version 2.0.22) it > comes with no support for S/MIME, Secure Shell, or other tools useful > for desktop environments. Fortunately you may install both versions > alongside on the same system without any conflict. > > > What's New > =========== > > * Fixed possible infinite recursion in the compressed packet > parser. [CVE-2013-4402] > > * Protect against rogue keyservers sending secret keys. > > * Use 2048 bit also as default for batch key generation. > > * Minor bug fixes. > > > Impact of the security problem > ============================== > > Special crafted input data may be used to cause a denial of service > against GPG (GnuPG's OpenPGP part) and some other OpenPGP > implementations. All systems using GPG to process incoming data are > affected. > > Taylor R. Campbell invented a neat trick to generate OpenPGP packages > to force GPG to recursively parse certain parts of OpenPGP messages ad > infinitum. As a workaround a tight "ulimit -v" setting may be used to > mitigate the problem. Sample input data to trigger this problem has > not yet been seen in the wild. Details of the attack will eventually > be published by its inventor. > > A fixed release of the GnuPG 2.0 series has also been released. > > > Getting the Software > ==================== > > First of all, decide whether you really need GnuPG version 1.4.x - most > users are better off with the modern GnuPG 2.0.x version. Then follow > the instructions found at http://www.gnupg.org/download/ or read on: > > GnuPG 1.4.15 may be downloaded from one of the GnuPG mirror sites or > direct from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be > found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not > available at ftp.gnu.org. > > On the mirrors you should find the following files in the *gnupg* > directory: > > gnupg-1.4.15.tar.bz2 (3569k) > gnupg-1.4.15.tar.bz2.sig > > GnuPG source compressed using BZIP2 and OpenPGP signature. > > gnupg-1.4.15.tar.gz (4948k) > gnupg-1.4.15.tar.gz.sig > > GnuPG source compressed using GZIP and OpenPGP signature. > > gnupg-1.4.14-1.4.15.diff.bz2 (37k) > > A patch file to upgrade a 1.4.14 GnuPG source tree. This patch > does not include updates of the language files. > > Select one of them. To shorten the download time, you probably want to > get the BZIP2 compressed file. Please try another mirror if exceptional > your mirror is not yet up to date. > > In the *binary* directory, you should find these files: > > gnupg-w32cli-1.4.15.exe (1568k) > gnupg-w32cli-1.4.15.exe.sig > > GnuPG compiled for Microsoft Windows and OpenPGP signature. > This is a command line only version; the source files are the > same as given above. Note, that this is a minimal installer and > unless you are just in need for the gpg binary, you are better > off using the full featured installer at http://www.gpg4win.org . > An updated version of gpg4win is scheduled for next week. > > > Checking the Integrity > ====================== > > In order to check that the version of GnuPG which you are going to > install is an original and unmodified one, you can do it in one of > the following ways: > > * If you already have a trusted version of GnuPG installed, you > can simply check the supplied signature. For example to check the > signature of the file gnupg-1.4.15.tar.bz2 you would use this command: > > gpg --verify gnupg-1.4.15.tar.bz2.sig > > This checks whether the signature file matches the source file. > You should see a message indicating that the signature is good and > made by that signing key. Make sure that you have the right key, > either by checking the fingerprint of that key with other sources > or by checking that the key has been signed by a trustworthy other > key. Note, that you can retrieve the signing key using the command > > finger wk ,at' g10code.com | gpg --import > > or using a keyserver like > > gpg --recv-key 4F25E3B6 > > The distribution key 4F25E3B6 is signed by the well known key > 1E42B367. If you get an key expired message, you should retrieve a > fresh copy as the expiration date might have been prolonged. > > NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE > INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! > > * If you are not able to use an old version of GnuPG, you have to verify > the SHA-1 checksum. Assuming you downloaded the file > gnupg-1.4.14.tar.bz2, you would run the sha1sum command like this: > > sha1sum gnupg-1.4.15.tar.bz2 > > and check that the output matches the first line from the > following list: > > 63ebf0ab375150903c65738070e4105200197fd4 gnupg-1.4.15.tar.bz2 > 2881c8174c15bb86ecf2e879cb7ca22c91fbcf93 gnupg-1.4.15.tar.gz > 0e3a593da55be0fb9a556513ce034e13677e5ebc gnupg-1.4.14-1.4.15.diff.bz2 > 1adda83f3eda5a2ac6d362c294e31fbb529a03e4 gnupg-w32cli-1.4.15.exe > > > Internationalization > ==================== > > GnuPG comes with support for 29 languages. The Chinese (Simple and > Traditional), Czech, Danish, Dutch, French, German, Norwegian, Polish, > Romanian, Russian, Spanish, Swedish, Ukrainian, and Turkish translations > are close to be complete. > > > Support > ======= > > A listing with commercial support offers for GnuPG is available at: > > http://www.gnupg.org/service.html > > The driving force behind the development of GnuPG is the company of its > principal author, Werner Koch. Maintenance and improvement of GnuPG and > related software take up a most of their resources. To allow them > continue their work they ask to either purchase a support contract, > engage them for custom enhancements, or to donate money: > > http://g10code.com/gnupg-donation.html > > > > Thanks > ====== > > We have to thank all the people who helped with this release, be it > testing, coding, translating, suggesting, auditing, donating money, > spreading the word, or answering questions on the mailing lists. > > > > Happy Hacking, > > The GnuPG Team > > > > > _______________________________________________ > Gnupg-announce mailing list > gnupg-annou...@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-announce > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users