I did NOT encrypt the Message, just signed it with my PGP-Key - This message is now without sign or encrypt
Am 2018-06-10 um 22:50 schrieb Jean-David Beyer: > On 06/10/2018 01:25 PM, Juergen Bruckner wrote: >> Hello Werner, >> >> i Use Linux Mint 18.3 with GnuPG 2.1.11; which is the easiest way to >> Update it to 2.2.8? >> >> >> I'm pretty new to the Linux-World, but as far i know i have NOT included >> a "own" GnuPG Repo in my Repo-List. >> >> best regards >> Juergen >> >> Am 2018-06-08 um 15:40 schrieb Werner Koch: >>> Hello! >>> >>> We are pleased to announce the availability of a new GnuPG release: >>> version 2.2.8. This version fixes a critical security bug and comes >>> with some other minor changes. >>> >>> >>> Impact >>> ====== >>> >>> All current GnuPG versions are affected on all platforms. >>> >>> All mail clients and other applications which make use of GPG but are >>> not utilizing the GPGME library might be affected. >>> >>> The OpenPGP protocol allows to include the file name of the original >>> input file into a signed or encrypted message. During decryption and >>> verification the GPG tool can display a notice with that file name. The >>> displayed file name is not sanitized and as such may include line feeds >>> or other control characters. This can be used inject terminal control >>> sequences into the out and, worse, to fake the so-called status >>> messages. These status messages are parsed by programs to get >>> information from gpg about the validity of a signature and an other >>> parameters. Status messages are created with the option "--status-fd N" >>> where N is a file descriptor. Now if N is 2 the status messages and the >>> regular diagnostic messages share the stderr output channel. By using a >>> made up file name in the message it is possible to fake status messages. >>> Using this technique it is for example possible to fake the verification >>> status of a signed mail. >>> >>> Although GnuPG takes great care to sanitize all diagnostic and status >>> output, the case at hand was missed but finally found and reported by >>> Marcus Brinkmann. CVE-2018-12020 was assigned to this bug; GnuPG tracks >>> it at <https://dev/gnupg.org/T4012>. >>> >>> >>> Solution >>> ======== >>> >>> If your application uses GPGME your application is safe. Fortunately >>> most modern mail readers use GPGME, including GpgOL and KMail. Mutt >>> users should make sure to use "set crypt_use_gpgme". >>> >>> If you are parsing GnuPG status output and you use a dedicated file >>> descriptor with --status-fd you are safe. A dedicated file descriptor >>> is one that is not shared with the log output. The log output defaults >>> to stderr (2) but may be a different if the option --logger-fd is used. >>> >>> If you are not using --verbose you are safe. But take care: --verbose >>> might be specified in the config file. As a short term mitigation or if >>> you can't immediately upgrade to the latest versions, you can add >>> --no-verbose to the invocation of gpg. >>> >>> Another short term mitigation is to redirect the log output to a >>> different file: For example "--log-file /dev/null". >>> >>> The suggested solution is to update to GnuPG 2.2.8 or a vendor provided >>> update of their GnuPG version. >>> >>> To check whether the bug has been fixed you may use the simple test at >>> the end of this mail [1]. >>> >>> >>> About GnuPG >>> =========== >>> >>> The GNU Privacy Guard (GnuPG) is a complete and free implementation >>> of the OpenPGP standard which is commonly abbreviated as PGP. >>> >>> GnuPG allows to encrypt and sign data and communication, features a >>> versatile key management system as well as access modules for public key >>> directories. GnuPG itself is a command line tool with features for easy >>> integration with other applications. A wealth of frontend applications >>> and libraries making use of GnuPG are available. As an Universal Crypto >>> Engine GnuPG provides support for S/MIME and Secure Shell in addition to >>> OpenPGP. >>> >>> GnuPG is Free Software (meaning that it respects your freedom). It can >>> be freely used, modified and distributed under the terms of the GNU >>> General Public License. >>> >>> >>> Noteworthy changes in version 2.2.8 >>> =================================== >>> >>> * gpg: Decryption of messages not using the MDC mode will now lead >>> to a hard failure even if a legacy cipher algorithm was used. The >>> option --ignore-mdc-error can be used to turn this failure into a >>> warning. Take care: Never use that option unconditionally or >>> without a prior warning. >>> >>> * gpg: The MDC encryption mode is now always used regardless of the >>> cipher algorithm or any preferences. For testing --rfc2440 can be >>> used to create a message without an MDC. >>> >>> * gpg: Sanitize the diagnostic output of the original file name in >>> verbose mode. [#4012,CVE-2018-12020] >>> >>> * gpg: Detect suspicious multiple plaintext packets in a more >>> reliable way. [#4000] >>> >>> * gpg: Fix the duplicate key signature detection code. [#3994] >>> >>> * gpg: The options --no-mdc-warn, --force-mdc, --no-force-mdc, >>> --disable-mdc and --no-disable-mdc have no more effect. >>> >>> * agent: Add DBUS_SESSION_BUS_ADDRESS and a few other envvars to the >>> list of startup environment variables. [#3947] >>> >>> >>> Getting the Software >>> ==================== >>> >>> Please follow the instructions found at <https://gnupg.org/download/> or >>> read on: >>> >>> GnuPG 2.2.8 may be downloaded from one of the GnuPG mirror sites or >>> direct from its primary FTP server. The list of mirrors can be found at >>> <https://gnupg.org/download/mirrors.html>. Note that GnuPG is not >>> available at ftp.gnu.org. >>> >>> The GnuPG source code compressed using BZIP2 and its OpenPGP signature >>> are available here: >>> >>> https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.8.tar.bz2 (6477k) >>> https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.8.tar.bz2.sig >>> >>> An installer for Windows without any graphical frontend except for a >>> very minimal Pinentry tool is available here: >>> >>> https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.8_20180608.exe (3916k) >>> https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.8_20180608.exe.sig >>> >>> The source used to build the Windows installer can be found in the same >>> directory with a ".tar.xz" suffix. A new Gpg4win installer featuring >>> this version of GnuPG will be available soon. >>> >>> >>> Checking the Integrity >>> ====================== >>> >>> In order to check that the version of GnuPG which you are going to >>> install is an original and unmodified one, you can do it in one of >>> the following ways: >>> >>> * If you already have a version of GnuPG installed, you can simply >>> verify the supplied signature. For example to verify the signature >>> of the file gnupg-2.2.8.tar.bz2 you would use this command: >>> >>> gpg --verify gnupg-2.2.8.tar.bz2.sig gnupg-2.2.8.tar.bz2 >>> >>> This checks whether the signature file matches the source file. >>> You should see a message indicating that the signature is good and >>> made by one or more of the release signing keys. Make sure that >>> this is a valid key, either by matching the shown fingerprint >>> against a trustworthy list of valid release signing keys or by >>> checking that the key has been signed by trustworthy other keys. >>> See the end of this mail for information on the signing keys. >>> >>> * If you are not able to use an existing version of GnuPG, you have >>> to verify the SHA-1 checksum. On Unix systems the command to do >>> this is either "sha1sum" or "shasum". Assuming you downloaded the >>> file gnupg-2.2.8.tar.bz2, you run the command like this: >>> >>> sha1sum gnupg-2.2.8.tar.bz2 >>> >>> and check that the output matches the next line: >>> >>> d87553a125832ea90e8aeb3ceeecf24f88de56fb gnupg-2.2.8.tar.bz2 >>> 3126ec2b7005063cbff95792208796dfa42c2a22 gnupg-w32-2.2.8_20180608.tar.xz >>> 231b29631647328934a35f8c6baa483e7594e26a gnupg-w32-2.2.8_20180608.exe >>> >>> >>> Internationalization >>> ==================== >>> >>> This version of GnuPG has support for 26 languages with Chinese, Czech, >>> French, German, Japanese, Norwegian, Russian, and Ukrainian being almost >>> completely translated. >>> >>> >>> Documentation and Support >>> ========================= >>> >>> If you used GnuPG in the past you should read the description of >>> changes and new features at doc/whats-new-in-2.1.txt or online at >>> >>> https://gnupg.org/faq/whats-new-in-2.1.html >>> >>> The file gnupg.info has the complete reference manual of the system. >>> Separate man pages are included as well but they miss some of the >>> details availabale only in thee manual. The manual is also available >>> online at >>> >>> https://gnupg.org/documentation/manuals/gnupg/ >>> >>> or can be downloaded as PDF at >>> >>> https://gnupg.org/documentation/manuals/gnupg.pdf . >>> >>> The chapters on gpg-agent, gpg and gpgsm include information on how to >>> set up the whole thing. You may also want to search the GnuPG mailing >>> list archives or ask on the gnupg-users mailing list for advise on how >>> to solve problems. Most of the new features are around for several >>> years and thus enough public experience is available. >>> >>> Please consult the archive of the gnupg-users mailing list before >>> reporting a bug: <https://gnupg.org/documentation/mailing-lists.html>. >>> We suggest to send bug reports for a new release to this list in favor >>> of filing a bug at <https://bugs.gnupg.org>. If you need commercial >>> support check out <https://gnupg.org/service.html>. >>> >>> If you are a developer and you need a certain feature for your project, >>> please do not hesitate to bring it to the gnupg-devel mailing list for >>> discussion. >>> >>> >>> Thanks >>> ====== >>> >>> Maintenance and development of GnuPG is mostly financed by donations. >>> The GnuPG project currently employs one full-time developer and one >>> contractor. Both work exclusively on GnuPG and closely related software >>> like Libgcrypt, GPGME, and GPA. We are planning to extend our team >>> again and to help developers to improve integration of crypto in their >>> applications. >>> >>> We have to thank all the people who helped the GnuPG project, be it >>> testing, coding, translating, suggesting, auditing, administering the >>> servers, spreading the word, and answering questions on the mailing >>> lists. >>> >>> Many thanks to our numerous financial supporters, both corporate and >>> individuals. Without you it would not be possible to keep GnuPG in a >>> good shape and address all the small and larger requests made by our >>> users. Thanks. >>> >>> >>> Happy hacking, >>> >>> Your GnuPG hackers >>> >>> >>> >>> p.s. >>> This is an announcement only mailing list. Please send replies only to >>> the gnupg-users'at'gnupg.org mailing list. >>> >>> p.p.s >>> List of Release Signing Keys: >>> >>> To guarantee that a downloaded GnuPG version has not been tampered by >>> malicious entities we provide signature files for all tarballs and >>> binary versions. The keys are also signed by the long term keys of >>> their respective owners. Current releases are signed by one or more >>> of these four keys: >>> >>> rsa2048 2011-01-12 [expires: 2019-12-31] >>> Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 >>> Werner Koch (dist sig) >>> >>> rsa2048 2014-10-29 [expires: 2019-12-31] >>> Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 >>> David Shaw (GnuPG Release Signing Key) <dshaw 'at' jabberwocky.com> >>> >>> rsa2048 2014-10-29 [expires: 2020-10-30] >>> Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 >>> NIIBE Yutaka (GnuPG Release Key) <gniibe 'at' fsij.org> >>> >>> rsa3072 2017-03-17 [expires: 2027-03-15] >>> Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 >>> Andre Heinecke (Release Signing Key) >>> >>> The keys are available at <https://gnupg.org/signature_key.html> and >>> in any recently released GnuPG tarball in the file g10/distsigkey.gpg . >>> Note that this mail has been signed by a different key. >>> =========== >>> >>> [1] If you want to test whether you are affected by this bug, remove the >>> indentation from the following block >>> >>> -----BEGIN PGP MESSAGE----- >>> >>> jA0EBwMC1pW2pqoYvbXl0p4Bo5z/v7PXy7T1BY/KQxWaE9uTBRbf4no64/+5YYzX >>> +BVNqP+82aBFYXEsD9x1vGuYwofQ4m/q/WcQDEPXhRyzU+4yiT3EOuG7sTTaQR3b >>> 8xAn2Qtpyq5tO7k9CN6dasaXKSduXVmFUqzgU+W9WaTLOKNDFw6FYV3lnOoPtFcX >>> rzhh2opkX9Oh/5DUkZ6YmUIX3j/A0z+59/qNO1i2hQ== >>> =zswl >>> -----END PGP MESSAGE----- >>> >>> and pass to this pipeline >>> >>> gpg --no-options -vd 2>&1 | grep '^\[GNUPG:] INJECTED' >>> >>> If you get some output you are using a non-fixed version. >>> >>> >>> >>> _______________________________________________ >>> Gnupg-announce mailing list >>> gnupg-annou...@gnupg.org >>> http://lists.gnupg.org/mailman/listinfo/gnupg-announce >>> >>> >>> >>> _______________________________________________ >>> Gnupg-users mailing list >>> Gnupg-users@gnupg.org >>> http://lists.gnupg.org/mailman/listinfo/gnupg-users >>> >> >> >> >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users >> > It says part of your message to me was encrypted and prompted me for my > passphrase, but it must not have been encrypted with my public key. > -- Juergen M. Bruckner juer...@bruckner.tk _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
