Hi Mutt Users, GnuPG just released an important security fix involving injection into the status-fd channel. The details are at <https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html>.
If you are using the suggested values in contrib/gpg.rc, it should NOT be necessary to switch to using GPGME (despite what they said in their email). Specifically make sure you have "--no-verbose" in $pgp_decode_command, $pgp_verify_command, and $pgp_decrypt_command. There are a couple other (non-critical) issues Marcus Brinkmann found and reported to Mutt. They are mitigated by the new GnuPG release, and by fixes in Mutt's stable branch. I will release a new stable version in the next couple weeks. -Kevin
signature.asc
Description: PGP signature