On 06/10/2018 01:25 PM, Juergen Bruckner wrote: > Hello Werner, > > i Use Linux Mint 18.3 with GnuPG 2.1.11; which is the easiest way to > Update it to 2.2.8? > > > I'm pretty new to the Linux-World, but as far i know i have NOT included > a "own" GnuPG Repo in my Repo-List. > > best regards > Juergen > > Am 2018-06-08 um 15:40 schrieb Werner Koch: >> Hello! >> >> We are pleased to announce the availability of a new GnuPG release: >> version 2.2.8. This version fixes a critical security bug and comes >> with some other minor changes. >> >> >> Impact >> ====== >> >> All current GnuPG versions are affected on all platforms. >> >> All mail clients and other applications which make use of GPG but are >> not utilizing the GPGME library might be affected. >> >> The OpenPGP protocol allows to include the file name of the original >> input file into a signed or encrypted message. During decryption and >> verification the GPG tool can display a notice with that file name. The >> displayed file name is not sanitized and as such may include line feeds >> or other control characters. This can be used inject terminal control >> sequences into the out and, worse, to fake the so-called status >> messages. These status messages are parsed by programs to get >> information from gpg about the validity of a signature and an other >> parameters. Status messages are created with the option "--status-fd N" >> where N is a file descriptor. Now if N is 2 the status messages and the >> regular diagnostic messages share the stderr output channel. By using a >> made up file name in the message it is possible to fake status messages. >> Using this technique it is for example possible to fake the verification >> status of a signed mail. >> >> Although GnuPG takes great care to sanitize all diagnostic and status >> output, the case at hand was missed but finally found and reported by >> Marcus Brinkmann. CVE-2018-12020 was assigned to this bug; GnuPG tracks >> it at <https://dev/gnupg.org/T4012>. >> >> >> Solution >> ======== >> >> If your application uses GPGME your application is safe. Fortunately >> most modern mail readers use GPGME, including GpgOL and KMail. Mutt >> users should make sure to use "set crypt_use_gpgme". >> >> If you are parsing GnuPG status output and you use a dedicated file >> descriptor with --status-fd you are safe. A dedicated file descriptor >> is one that is not shared with the log output. The log output defaults >> to stderr (2) but may be a different if the option --logger-fd is used. >> >> If you are not using --verbose you are safe. But take care: --verbose >> might be specified in the config file. As a short term mitigation or if >> you can't immediately upgrade to the latest versions, you can add >> --no-verbose to the invocation of gpg. >> >> Another short term mitigation is to redirect the log output to a >> different file: For example "--log-file /dev/null". >> >> The suggested solution is to update to GnuPG 2.2.8 or a vendor provided >> update of their GnuPG version. >> >> To check whether the bug has been fixed you may use the simple test at >> the end of this mail [1]. >> >> >> About GnuPG >> =========== >> >> The GNU Privacy Guard (GnuPG) is a complete and free implementation >> of the OpenPGP standard which is commonly abbreviated as PGP. >> >> GnuPG allows to encrypt and sign data and communication, features a >> versatile key management system as well as access modules for public key >> directories. GnuPG itself is a command line tool with features for easy >> integration with other applications. A wealth of frontend applications >> and libraries making use of GnuPG are available. As an Universal Crypto >> Engine GnuPG provides support for S/MIME and Secure Shell in addition to >> OpenPGP. >> >> GnuPG is Free Software (meaning that it respects your freedom). It can >> be freely used, modified and distributed under the terms of the GNU >> General Public License. >> >> >> Noteworthy changes in version 2.2.8 >> =================================== >> >> * gpg: Decryption of messages not using the MDC mode will now lead >> to a hard failure even if a legacy cipher algorithm was used. The >> option --ignore-mdc-error can be used to turn this failure into a >> warning. Take care: Never use that option unconditionally or >> without a prior warning. >> >> * gpg: The MDC encryption mode is now always used regardless of the >> cipher algorithm or any preferences. For testing --rfc2440 can be >> used to create a message without an MDC. >> >> * gpg: Sanitize the diagnostic output of the original file name in >> verbose mode. [#4012,CVE-2018-12020] >> >> * gpg: Detect suspicious multiple plaintext packets in a more >> reliable way. [#4000] >> >> * gpg: Fix the duplicate key signature detection code. [#3994] >> >> * gpg: The options --no-mdc-warn, --force-mdc, --no-force-mdc, >> --disable-mdc and --no-disable-mdc have no more effect. >> >> * agent: Add DBUS_SESSION_BUS_ADDRESS and a few other envvars to the >> list of startup environment variables. [#3947] >> >> >> Getting the Software >> ==================== >> >> Please follow the instructions found at <https://gnupg.org/download/> or >> read on: >> >> GnuPG 2.2.8 may be downloaded from one of the GnuPG mirror sites or >> direct from its primary FTP server. The list of mirrors can be found at >> <https://gnupg.org/download/mirrors.html>. Note that GnuPG is not >> available at ftp.gnu.org. >> >> The GnuPG source code compressed using BZIP2 and its OpenPGP signature >> are available here: >> >> https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.8.tar.bz2 (6477k) >> https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.8.tar.bz2.sig >> >> An installer for Windows without any graphical frontend except for a >> very minimal Pinentry tool is available here: >> >> https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.8_20180608.exe (3916k) >> https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.8_20180608.exe.sig >> >> The source used to build the Windows installer can be found in the same >> directory with a ".tar.xz" suffix. A new Gpg4win installer featuring >> this version of GnuPG will be available soon. >> >> >> Checking the Integrity >> ====================== >> >> In order to check that the version of GnuPG which you are going to >> install is an original and unmodified one, you can do it in one of >> the following ways: >> >> * If you already have a version of GnuPG installed, you can simply >> verify the supplied signature. For example to verify the signature >> of the file gnupg-2.2.8.tar.bz2 you would use this command: >> >> gpg --verify gnupg-2.2.8.tar.bz2.sig gnupg-2.2.8.tar.bz2 >> >> This checks whether the signature file matches the source file. >> You should see a message indicating that the signature is good and >> made by one or more of the release signing keys. Make sure that >> this is a valid key, either by matching the shown fingerprint >> against a trustworthy list of valid release signing keys or by >> checking that the key has been signed by trustworthy other keys. >> See the end of this mail for information on the signing keys. >> >> * If you are not able to use an existing version of GnuPG, you have >> to verify the SHA-1 checksum. On Unix systems the command to do >> this is either "sha1sum" or "shasum". Assuming you downloaded the >> file gnupg-2.2.8.tar.bz2, you run the command like this: >> >> sha1sum gnupg-2.2.8.tar.bz2 >> >> and check that the output matches the next line: >> >> d87553a125832ea90e8aeb3ceeecf24f88de56fb gnupg-2.2.8.tar.bz2 >> 3126ec2b7005063cbff95792208796dfa42c2a22 gnupg-w32-2.2.8_20180608.tar.xz >> 231b29631647328934a35f8c6baa483e7594e26a gnupg-w32-2.2.8_20180608.exe >> >> >> Internationalization >> ==================== >> >> This version of GnuPG has support for 26 languages with Chinese, Czech, >> French, German, Japanese, Norwegian, Russian, and Ukrainian being almost >> completely translated. >> >> >> Documentation and Support >> ========================= >> >> If you used GnuPG in the past you should read the description of >> changes and new features at doc/whats-new-in-2.1.txt or online at >> >> https://gnupg.org/faq/whats-new-in-2.1.html >> >> The file gnupg.info has the complete reference manual of the system. >> Separate man pages are included as well but they miss some of the >> details availabale only in thee manual. The manual is also available >> online at >> >> https://gnupg.org/documentation/manuals/gnupg/ >> >> or can be downloaded as PDF at >> >> https://gnupg.org/documentation/manuals/gnupg.pdf . >> >> The chapters on gpg-agent, gpg and gpgsm include information on how to >> set up the whole thing. You may also want to search the GnuPG mailing >> list archives or ask on the gnupg-users mailing list for advise on how >> to solve problems. Most of the new features are around for several >> years and thus enough public experience is available. >> >> Please consult the archive of the gnupg-users mailing list before >> reporting a bug: <https://gnupg.org/documentation/mailing-lists.html>. >> We suggest to send bug reports for a new release to this list in favor >> of filing a bug at <https://bugs.gnupg.org>. If you need commercial >> support check out <https://gnupg.org/service.html>. >> >> If you are a developer and you need a certain feature for your project, >> please do not hesitate to bring it to the gnupg-devel mailing list for >> discussion. >> >> >> Thanks >> ====== >> >> Maintenance and development of GnuPG is mostly financed by donations. >> The GnuPG project currently employs one full-time developer and one >> contractor. Both work exclusively on GnuPG and closely related software >> like Libgcrypt, GPGME, and GPA. We are planning to extend our team >> again and to help developers to improve integration of crypto in their >> applications. >> >> We have to thank all the people who helped the GnuPG project, be it >> testing, coding, translating, suggesting, auditing, administering the >> servers, spreading the word, and answering questions on the mailing >> lists. >> >> Many thanks to our numerous financial supporters, both corporate and >> individuals. Without you it would not be possible to keep GnuPG in a >> good shape and address all the small and larger requests made by our >> users. Thanks. >> >> >> Happy hacking, >> >> Your GnuPG hackers >> >> >> >> p.s. >> This is an announcement only mailing list. Please send replies only to >> the gnupg-users'at'gnupg.org mailing list. >> >> p.p.s >> List of Release Signing Keys: >> >> To guarantee that a downloaded GnuPG version has not been tampered by >> malicious entities we provide signature files for all tarballs and >> binary versions. The keys are also signed by the long term keys of >> their respective owners. Current releases are signed by one or more >> of these four keys: >> >> rsa2048 2011-01-12 [expires: 2019-12-31] >> Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 >> Werner Koch (dist sig) >> >> rsa2048 2014-10-29 [expires: 2019-12-31] >> Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 >> David Shaw (GnuPG Release Signing Key) <dshaw 'at' jabberwocky.com> >> >> rsa2048 2014-10-29 [expires: 2020-10-30] >> Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 >> NIIBE Yutaka (GnuPG Release Key) <gniibe 'at' fsij.org> >> >> rsa3072 2017-03-17 [expires: 2027-03-15] >> Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 >> Andre Heinecke (Release Signing Key) >> >> The keys are available at <https://gnupg.org/signature_key.html> and >> in any recently released GnuPG tarball in the file g10/distsigkey.gpg . >> Note that this mail has been signed by a different key. >> =========== >> >> [1] If you want to test whether you are affected by this bug, remove the >> indentation from the following block >> >> -----BEGIN PGP MESSAGE----- >> >> jA0EBwMC1pW2pqoYvbXl0p4Bo5z/v7PXy7T1BY/KQxWaE9uTBRbf4no64/+5YYzX >> +BVNqP+82aBFYXEsD9x1vGuYwofQ4m/q/WcQDEPXhRyzU+4yiT3EOuG7sTTaQR3b >> 8xAn2Qtpyq5tO7k9CN6dasaXKSduXVmFUqzgU+W9WaTLOKNDFw6FYV3lnOoPtFcX >> rzhh2opkX9Oh/5DUkZ6YmUIX3j/A0z+59/qNO1i2hQ== >> =zswl >> -----END PGP MESSAGE----- >> >> and pass to this pipeline >> >> gpg --no-options -vd 2>&1 | grep '^\[GNUPG:] INJECTED' >> >> If you get some output you are using a non-fixed version. >> >> >> >> _______________________________________________ >> Gnupg-announce mailing list >> gnupg-annou...@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-announce >> >> >> >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users >> > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > It says part of your message to me was encrypted and prompted me for my passphrase, but it must not have been encrypted with my public key.
-- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jersey http://linuxcounter.net ^^-^^ 16:45:01 up 19 days, 21:28, 2 users, load average: 6.09, 5.31, 4.80 _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users