[Announce] [security fix] GnuPG 2.0.22 released
Hello! We are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.22. This is a *security fix* release and all users are advised to updated to this version. See below for the impact of the problem. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data, create digital signatures, help authenticating using Secure Shell and to provide a framework for public key cryptography. It includes an advanced key management facility and is compliant with the OpenPGP and S/MIME standards. GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.14) in that it splits up functionality into several modules. However, both versions may be installed alongside without any conflict. In fact, the gpg version from GnuPG-1 is able to make use of the gpg-agent as included in GnuPG-2 and allows for seamless passphrase caching. The advantage of GnuPG-1 is its smaller size and the lack of dependency on other modules at run and build time. We will keep maintaining GnuPG-1 versions because they are very useful for small systems and for server based applications requiring only OpenPGP support. GnuPG is distributed under the terms of the GNU General Public License (GPLv3+). GnuPG-2 works best on GNU/Linux and *BSD systems but is also available for other Unices, Microsoft Windows and Mac OS X. What's New in 2.0.22 * Fixed possible infinite recursion in the compressed packet parser. [CVE-2013-4402] * Improved support for some card readers. * Prepared building with the forthcoming Libgcrypt 1.6. * Protect against rogue keyservers sending secret keys. Impact of the security problem == Special crafted input data may be used to cause a denial of service against GPG (GnuPG's OpenPGP part) and some other OpenPGP implementations. All systems using GPG to process incoming data are affected. Taylor R. Campbell invented a neat trick to generate OpenPGP packages to force GPG to recursively parse certain parts of OpenPGP messages ad infinitum. As a workaround a tight ulimit -v setting may be used to mitigate the problem. Sample input data to trigger this problem has not yet been seen in the wild. Details of the attack will eventually be published by its inventor. A fixed release of the GnuPG 1.4 series has also been released. An updated vesion of gpg4win will be released next week. Getting the Software Please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 2.0.22 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/gnupg/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the FTP server and its mirrors you should find the following files in the gnupg/ directory: gnupg-2.0.22.tar.bz2 (4200k) gnupg-2.0.22.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-2.0.20-2.0.22.diff.bz2 (39k) A patch file to upgrade a 2.0.20 GnuPG source tree. This patch does not include updates of the language files. Note, that we don't distribute gzip compressed tarballs for GnuPG-2. Checking the Integrity == In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-2.0.22.tar.bz2 you would use this command: gpg --verify gnupg-2.0.22.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a keyserver like gpg --keyserver keys.gnupg.net --recv-key 4F25E3B6 The distribution key 4F25E3B6 is signed by the well known key 1E42B367. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-2.0.22.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-2.0.22.tar.bz2 and check that the output matches the first line from the following list: 9ba9ee288e9bf813e0f1e25cbe06b58d3072d8b8 gnupg-2.0.22.tar.bz2 6cc51b14ed652fe7eadae25ec7cdaa6f63377525 gnupg-2.0.21-2.0.22.diff.bz2 Documentation = The file gnupg.info has the
[Announce] [security fix] GnuPG 1.4.15 released
Hello! We are pleased to announce the availability of a new stable GnuPG-1 release: Version 1.4.15. This is a *security fix* release and all users are advised to updated to this version. See below for the impact of the problem. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It is a complete and free replacement of PGP and can be used to encrypt data and to create digital signatures. It includes an advanced key management facility, smartcard support and is compliant with the OpenPGP Internet standard as described by RFC-4880. Note that this version is from the GnuPG-1 series and thus smaller than those from the GnuPG-2 series, easier to build, and also better portable to ancient platforms. In contrast to GnuPG-2 (e.g version 2.0.22) it comes with no support for S/MIME, Secure Shell, or other tools useful for desktop environments. Fortunately you may install both versions alongside on the same system without any conflict. What's New === * Fixed possible infinite recursion in the compressed packet parser. [CVE-2013-4402] * Protect against rogue keyservers sending secret keys. * Use 2048 bit also as default for batch key generation. * Minor bug fixes. Impact of the security problem == Special crafted input data may be used to cause a denial of service against GPG (GnuPG's OpenPGP part) and some other OpenPGP implementations. All systems using GPG to process incoming data are affected. Taylor R. Campbell invented a neat trick to generate OpenPGP packages to force GPG to recursively parse certain parts of OpenPGP messages ad infinitum. As a workaround a tight ulimit -v setting may be used to mitigate the problem. Sample input data to trigger this problem has not yet been seen in the wild. Details of the attack will eventually be published by its inventor. A fixed release of the GnuPG 2.0 series has also been released. Getting the Software First of all, decide whether you really need GnuPG version 1.4.x - most users are better off with the modern GnuPG 2.0.x version. Then follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 1.4.15 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the mirrors you should find the following files in the *gnupg* directory: gnupg-1.4.15.tar.bz2 (3569k) gnupg-1.4.15.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-1.4.15.tar.gz (4948k) gnupg-1.4.15.tar.gz.sig GnuPG source compressed using GZIP and OpenPGP signature. gnupg-1.4.14-1.4.15.diff.bz2 (37k) A patch file to upgrade a 1.4.14 GnuPG source tree. This patch does not include updates of the language files. Select one of them. To shorten the download time, you probably want to get the BZIP2 compressed file. Please try another mirror if exceptional your mirror is not yet up to date. In the *binary* directory, you should find these files: gnupg-w32cli-1.4.15.exe (1568k) gnupg-w32cli-1.4.15.exe.sig GnuPG compiled for Microsoft Windows and OpenPGP signature. This is a command line only version; the source files are the same as given above. Note, that this is a minimal installer and unless you are just in need for the gpg binary, you are better off using the full featured installer at http://www.gpg4win.org . An updated version of gpg4win is scheduled for next week. Checking the Integrity == In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-1.4.15.tar.bz2 you would use this command: gpg --verify gnupg-1.4.15.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com | gpg --import or using a keyserver like gpg --recv-key 4F25E3B6 The distribution key 4F25E3B6 is signed by the well known key 1E42B367. If you get an key expired message, you should retrieve a fresh copy as the expiration date might have been prolonged. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an
Re: [Announce] [security fix] GnuPG 1.4.15 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Werner Koch wrote on 10/5/13 11:56 AM: Hello! We are pleased to announce the availability of a new stable GnuPG-1 release: Version 1.4.15. This is a *security fix* release and all users are advised to updated to this version. See below for the impact of the problem. [...] Happy Hacking, The GnuPG Team Hi, Version info: gnupg 1.4.15 Configured for: Darwin (x86_64-apple-darwin12.5.0) Thanks Werner and the GnuPG team. Charly 0x15E4F2EA Mac OS X 10.8.5 (12F37) MacBook Intel C2Duo 2GHz 13-inch, Aluminum, Late 2008 . (GnuPG/MacGPG2) 2.0.20 - gpg (GnuPG) 1.4.15 TB 24.0 Enigmail version 1.5.2 (20130703-1322) -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJST/2aAAoJEPPf0YAV5PLqYDsQAJeuhBsgniHwYWyu1/GAtcLy YrYUK5xQzk+OJgrzytdfmBfz/dD+VpZz4spSTKhe1BHcnq5Ar9VBJX91UnngR6En /L0+pK/np0AGXfwyhzisYntjDSt8jQl31qhDYthPjkAUL3vnUAPtQRN5m1HKuw9H AtCUvjfIXAXKBZAqlque3CpeMA2j5279KI5oyMpvQnzeV+Y8yhcs9RPiY+NLnQQ8 Iee069oVDVmnwJjU7GiusD/z+poR1THapAu31EuNVCkFSZclXZd/d5+mrHPdDjUH fN1Te+4GqXRBJV4PZNuXZV9IvFnSwJ5FaT+6vySMMB0UHxbNIgosVQpqZX8AW3Fu UeWv6imcCGpsj9KpZSP8laAo5s/t3765nbVCczxzF8YrREO7+y9XP1xHNBt+awPK anCmpfpzB+gJkvUmXaaVizDQEFiOVZX1xdknkO/XVSZU9tnWfm+m1h8xQyOqsed9 YERBj5vU3LT3Ldd8ykaSNsqFazuXTVAA9R/II9cRlc7NMeuiicFWM1JLmOCRp+Zy gXjhnBNk+1dhj5OSujMyNi6pP1ASFAAIm3DKYZC9umC5+L3YPeMkOvVC4VeZl/VH twhb0zxiOZ+VK5g4WVhh8qD6CpkOI9f4uRWcyU6mDmvm19WbXOSxCtEBH3LMPy4N PQazHVPgFVvlRIL2cVUF =08bX -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPG 2.0.22 compiling on Mac OS X fails
Hi, i just tried to compile the 2.0.22 version on Mac OS X 10.8.5 with XCode 5.0. But it fails : #pragma weak pth_waitpid ^ exechelp.c:68:14: warning: weak identifier 'pth_fork' never declared #pragma weak pth_fork ^ signal.c:125:41: warning: adding 'int' to a string does not append to the string [-Wstring-plus-int] write (2, 0123456789+(value/i), 1); ^~ signal.c:125:41: note: use array indexing to silence this warning write (2, 0123456789+(value/i), 1); ^ [ ] ///Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/5.0/include/stdint.h:32:36: warning: #include_next with absolute path defined(__has_include_next) __has_include_next(stdint.h) ^ ///Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/5.0/include/stdint.h:33:3: warning: #include_next with absolute path # include_next stdint.h ^ In file included from estream-printf.c:54: In file included from ../gl/stdint.h:66: /usr/include/inttypes.h:238:10: error: unknown type name 'intmax_t' extern intmax_t imaxabs(intmax_t j); ^ /usr/include/inttypes.h:238:27: error: unknown type name 'intmax_t' extern intmax_t imaxabs(intmax_t j); ^ /usr/include/inttypes.h:242:9: error: unknown type name 'intmax_t' intmax_t quot; ^ /usr/include/inttypes.h:243:9: error: unknown type name 'intmax_t' intmax_t rem; ^ /usr/include/inttypes.h:246:28: error: unknown type name 'intmax_t' extern imaxdiv_t imaxdiv(intmax_t numer, intmax_t denom); ^ /usr/include/inttypes.h:246:44: error: unknown type name 'intmax_t' extern imaxdiv_t imaxdiv(intmax_t numer, intmax_t denom); ^ /usr/include/inttypes.h:249:10: error: unknown type name 'intmax_t' extern intmax_t strtoimax(const char * restrict nptr, char ** restric... ^ /usr/include/inttypes.h:250:10: error: unknown type name 'uintmax_t'; did you mean 'uintptr_t'? extern uintmax_t strtoumax(const char * restrict nptr, char ** restric... ^ /usr/include/i386/types.h:109:24: note: 'uintptr_t' declared here typedef unsigned long uintptr_t; ^ In file included from estream-printf.c:54: In file included from ../gl/stdint.h:66: /usr/include/inttypes.h:260:10: error: unknown type name 'intmax_t' extern intmax_t wcstoimax(const wchar_t * restrict nptr, wchar_t ** re... ^ /usr/include/inttypes.h:261:10: error: unknown type name 'uintmax_t'; did you mean 'uintptr_t'? extern uintmax_t wcstoumax(const wchar_t * restrict nptr, wchar_t ** r... ^ /usr/include/i386/types.h:109:24: note: 'uintptr_t' declared here typedef unsigned long uintptr_t; ^ Best regards, Michael smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2.0.22 compiling on Mac OS X fails
On Sat, 5 Oct 2013 14:58, so...@dersonic.org said: i just tried to compile the 2.0.22 version on Mac OS X 10.8.5 with XCode 5.0. This is known. See for example bug 1541. Sorry, I can't do anything about it until someone provides a tested solution. signal.c:125:41: warning: adding 'int' to a string does not append to the string [-Wstring-plus-int] write (2, 0123456789+(value/i), 1); ^~ signal.c:125:41: note: use array indexing to silence this warning Surely, it does not. Syntactic sugar is required to drink from this source - stupid warning. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPG mirrors
On Sat, Oct 05, 2013 at 10:46:39AM +0200, Werner Koch wrote: direct from ftp://ftp.gnupg.org/gcrypt/gnupg/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG The list has some dead/stale entries. I found the following mirrors to be viable and current: ftp://ftp.crysys.hu/pub/gnupg/gnupg/ ftp://ftp.franken.de/pub/crypt/mirror/ftp.gnupg.org/gcrypt/gnupg/ ftp://ftp.freenet.de/pub/ftp.gnupg.org/gcrypt/gnupg/ ftp://ftp.hi.is/pub/mirrors/gnupg/gnupg/ ftp://ftp.sunet.se/pub/security/gnupg/gnupg/ ftp://gd.tuwien.ac.at/privacy/gnupg/gnupg/ ftp://mirror.switch.ch/mirror/gnupg/gnupg/ http://artfiles.org/gnupg.org/gnupg/ http://ftp.heanet.ie/mirrors/ftp.gnupg.org/gcrypt/gnupg/ http://mirror.tje.me.uk/pub/mirrors/ftp.gnupg.org/gnupg/ http://www.mirrorservice.org/sites/ftp.gnupg.org/gcrypt/gnupg/ http://mirrors.dotsrc.org/gcrypt/gnupg/ http://mirrors.dotsrc.org/gnupg/gnupg/ Thanks. -- Jason Harris | PGP: This _is_ PGP-signed, isn't it? jhar...@widomaker.com _|_ Got photons? (TM), (C) 2004 pgprdHkcehbzl.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] [security fix] GnuPG 1.4.15 released
On 5.10.2013 9:53 , gnupg-users-requ...@gnupg.org wrote: From: Charly Avital shavi...@gmail.com To: Subject: Re: [Announce] [security fix] GnuPG 1.4.15 released [...] Hi, Version info: gnupg 1.4.15 Configured for: Darwin (x86_64-apple-darwin12.5.0) Thanks Werner and the GnuPG team. Charly Charly, did you compile with Xcode 5? I just tried and get an error: Undefined symbols for architecture x86_64: _iconv, referenced from: _native_to_utf8 in libutil.a(strgutil.o) _utf8_to_native in libutil.a(strgutil.o) __nl_find_msg in libintl.a(dcigettext.o) _iconv_close, referenced from: _native_to_utf8 in libutil.a(strgutil.o) _set_native_charset in libutil.a(strgutil.o) _utf8_to_native in libutil.a(strgutil.o) _iconv_open, referenced from: _native_to_utf8 in libutil.a(strgutil.o) _set_native_charset in libutil.a(strgutil.o) _utf8_to_native in libutil.a(strgutil.o) __nl_find_msg in libintl.a(dcigettext.o) ld: symbol(s) not found for architecture x86_64 clang: error: linker command failed with exit code 1 (use -v to see invocation) make[2]: *** [gpg] Error 1 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 Any suggestions to fix would be appreciated. Thanks Philip. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] [security fix] GnuPG 1.4.15 released
Philip Neukom wrote on 10/5/13 7:56 PM: On 5.10.2013 9:53 , gnupg-users-requ...@gnupg.org wrote: From: Charly Avital shavi...@gmail.com To: Subject: Re: [Announce] [security fix] GnuPG 1.4.15 released [...] Hi, Version info: gnupg 1.4.15 Configured for: Darwin (x86_64-apple-darwin12.5.0) Thanks Werner and the GnuPG team. Charly Charly, did you compile with Xcode 5? No, I used the Terminal: 1. Download and verify the source code. 2. cd to expanded source code. 3. ./configure 4. make 5. sudo make install. Hope this helps. Charly 0x15E4F2EA Mac OS X 10.8.5 (12F37) MacBook Intel C2Duo 2GHz 13-inch, Aluminum, Late 2008 . (GnuPG/MacGPG2) 2.0.20 - gpg (GnuPG) 1.4.15 TB 24.0 Enigmail version 1.5.2 (20130703-1322) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] [security fix] GnuPG 1.4.15 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Philip, On 05.10.13 18:56, Philip Neukom wrote: Charly, did you compile with Xcode 5? I just tried and get an error: Undefined symbols for architecture x86_64: _iconv, referenced from: (...) Any suggestions to fix would be appreciated. Do you have software installed by macports, homebrew or fink? If yes, try moving the /opt/local (or whereever homebrew or fink install their stuff) out of the way while building gpg. HTH Ludwig -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJSUGrBAAoJEA52XAUJWdLjMjkH/1UDSjsoDb9K1BceSNpaGmxW 2UppKkUVu6RLvdcl3GT8T+CufmAFbkODm2c7wRW99oTcGv1kknjE46o4FEWXJdv4 lW8IwkngN8iA1VSy2Ixs66DPGsr2G/MUKTkwm0cGrrtPCd0uwV6MLdN8RVY/ze7N sNMMrgmXba250LfPQuj56JAy6nQ1iqdOMTfVOyZQyRVQyEOw55ilRJDpYJ3N4Chj Peb7wHcAgS+bIKH4iS0K5zjlmv3KLvPvLGjB0MlOXBN8+meJqp43Sm9zq0OiV50o bVGlLw1/wUVt08Weq0I/V3M07CaaDLbyfjGATKMeC4P6pHReiDHM/mnEPFSSuLs= =b6/O -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] [security fix] GnuPG 1.4.15 released
On 5.10.2013 15:31 , Charly Avital wrote: Philip Neukom wrote on 10/5/13 7:56 PM: On 5.10.2013 9:53 , gnupg-users-requ...@gnupg.org wrote: From: Charly Avital shavi...@gmail.com To: Subject: Re: [Announce] [security fix] GnuPG 1.4.15 released [...] Hi, Version info: gnupg 1.4.15 Configured for: Darwin (x86_64-apple-darwin12.5.0) Thanks Werner and the GnuPG team. Charly Charly, did you compile with Xcode 5? No, I used the Terminal: 1. Download and verify the source code. 2. cd to expanded source code. 3. ./configure 4. make 5. sudo make install. Hope this helps. Charly 0x15E4F2EA Mac OS X 10.8.5 (12F37) MacBook Intel C2Duo 2GHz 13-inch, Aluminum, Late 2008 . (GnuPG/MacGPG2) 2.0.20 - gpg (GnuPG) 1.4.15 TB 24.0 Enigmail version 1.5.2 (20130703-1322) Thanks for the quick reply, Charly. Hmmm. Yes I used the terminal also. With the update to 10.8.5, there was an update to Xcode and the Command Line Tools that you use to compile, make install. So that is the only thing that I can think of that changed on my system. Michael also replied and he has no problems while using the newer command line tools from Xcode 5. For me the compile step works. But I have no idea why the make step give so many warnings and then craps out. Any suggestions of what to try is appreciated. P. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] [security fix] GnuPG 1.4.15 released
On 10/05/2013 08:56 AM, Werner Koch wrote: Hello! We are pleased to announce the availability of a new stable GnuPG-1 release: Version 1.4.15. This is a *security fix* release and all users are advised to updated to this version. See below for the impact of the problem. I'm using Thunderbird with Enigmail. Enigmail is at 1.5.2 (20130913-2148) and gpg is at 1.4.11. Is it best to wait for Enigmail to update, or to update gpg manually? The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It is a complete and free replacement of PGP and can be used to encrypt data and to create digital signatures. It includes an advanced key management facility, smartcard support and is compliant with the OpenPGP Internet standard as described by RFC-4880. Note that this version is from the GnuPG-1 series and thus smaller than those from the GnuPG-2 series, easier to build, and also better portable to ancient platforms. In contrast to GnuPG-2 (e.g version 2.0.22) it comes with no support for S/MIME, Secure Shell, or other tools useful for desktop environments. Fortunately you may install both versions alongside on the same system without any conflict. What's New === * Fixed possible infinite recursion in the compressed packet parser. [CVE-2013-4402] * Protect against rogue keyservers sending secret keys. * Use 2048 bit also as default for batch key generation. * Minor bug fixes. Impact of the security problem == Special crafted input data may be used to cause a denial of service against GPG (GnuPG's OpenPGP part) and some other OpenPGP implementations. All systems using GPG to process incoming data are affected. Taylor R. Campbell invented a neat trick to generate OpenPGP packages to force GPG to recursively parse certain parts of OpenPGP messages ad infinitum. As a workaround a tight ulimit -v setting may be used to mitigate the problem. Sample input data to trigger this problem has not yet been seen in the wild. Details of the attack will eventually be published by its inventor. A fixed release of the GnuPG 2.0 series has also been released. Getting the Software First of all, decide whether you really need GnuPG version 1.4.x - most users are better off with the modern GnuPG 2.0.x version. Then follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 1.4.15 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the mirrors you should find the following files in the *gnupg* directory: gnupg-1.4.15.tar.bz2 (3569k) gnupg-1.4.15.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-1.4.15.tar.gz (4948k) gnupg-1.4.15.tar.gz.sig GnuPG source compressed using GZIP and OpenPGP signature. gnupg-1.4.14-1.4.15.diff.bz2 (37k) A patch file to upgrade a 1.4.14 GnuPG source tree. This patch does not include updates of the language files. Select one of them. To shorten the download time, you probably want to get the BZIP2 compressed file. Please try another mirror if exceptional your mirror is not yet up to date. In the *binary* directory, you should find these files: gnupg-w32cli-1.4.15.exe (1568k) gnupg-w32cli-1.4.15.exe.sig GnuPG compiled for Microsoft Windows and OpenPGP signature. This is a command line only version; the source files are the same as given above. Note, that this is a minimal installer and unless you are just in need for the gpg binary, you are better off using the full featured installer at http://www.gpg4win.org . An updated version of gpg4win is scheduled for next week. Checking the Integrity == In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-1.4.15.tar.bz2 you would use this command: gpg --verify gnupg-1.4.15.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com | gpg --import or using a keyserver like gpg --recv-key 4F25E3B6 The distribution key
Re: [Announce] [security fix] GnuPG 1.4.15 released
On 10/05/2013 10:09 PM, mirimir wrote: On 10/05/2013 08:56 AM, Werner Koch wrote: We are pleased to announce the availability of a new stable GnuPG-1 release: Version 1.4.15. This is a *security fix* release and all users are advised to updated to this version. See below for the impact of the problem. I'm using Thunderbird with Enigmail. Enigmail is at 1.5.2 (20130913-2148) and gpg is at 1.4.11. Is it best to wait for Enigmail to update, or to update gpg manually? My understanding is that enigmail does not update gpg on its own. The version number of enigmail is not tied to the version number of gpg at all. You should update gpg manually. hth, --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users