From wk at gnupg.org Wed Oct 11 12:18:15 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Oct 11 12:21:40 2006 Subject: [Announce] GnuPG 1.9.92 released Message-ID: <87mz832m1k.fsf@wheatstone.g10code.de> Hello! We are pleased to announce the availability of GnuPG 1.9.92 - one of the last steps towards a 2.0 release. The 1.9 branch of GnuPG features the OpenPGP as well as the S/MIME protocol. You should consider using GnuPG 1.9 if you want to use S/MIME. The included GPG-AGENT is also helpful when using the stable GPG version 1.4 or if you want to use its ssh-agent replacement feature (including smart card support). Note, that this version is still in beta state. The final release of GnuPG 2.0 is scheduled for November. Please watch the gnupg-users mailing list for announcement of more beta versions. You may still use GnuPG 1.4.5 for OpenPGP as there is no conflict in installing both versions. The actually binary for OpenPGP has been renamed to gpg2 in GnuPG 1.9. There are no plans to give up development on 1.4 after the 2.0 release. There are quite some changes since the announcement of 1.9.20 back in December: * New "relax" flag for trustlist.txt to allow root CA certificates without BasicContraints. * [gpg2] Removed the -k PGP 2 compatibility hack. -k is now an alias for --list-keys. * [gpg2] Print a warning if "-sat" is used instead of "--clearsign". * Regular man pages for most tools are now build directly from the Texinfo source. * Included translations from gnupg 1.4.5. * The gpg code from 1.4.5 has been fully merged into this release. The configure option --enable-gpg is still required to build this gpg part. For production use of OpenPGP the gpg version 1.4.5 is still recommended. Note, that gpg will be installed under the name gpg2 to allow coexisting with an 1.4.x gpg. * API change in gpg-agent's pkdecrypt command. Thus an older gpgsm may not be used with the current gpg-agent. * The scdaemon will now call a script on reader status changes. * gpgsm now allows file descriptor passing for "INPUT", "OUTPUT" and "MESSAGE". * The gpgsm server may now output a key listing to the output file handle. This needs to be enabled using "OPTION list-to-output=1". * The --output option of gpgsm has now an effect on list-keys. * New gpgsm commands --dump-chain and list-chain. * gpg-connect-agent has new options to utilize descriptor passing. * A global trustlist may now be used. See doc/examples/trustlist.txt. * When creating a new pubring.kbx keybox common certificates are imported. * Enhanced pkcs#12 support to allow import from simple keyBags. * Exporting to pkcs#12 now create bag attributes so that Mozilla is able to import the files. * Pkcs#12 files are now created with a MAC. This is for better interoperability. * Fixed uploading of certain keys to the smart card. * New command APDU for scdaemon to allow using it for general card access. Might be used through gpg-connect-agent by using the SCD prefix command. * Support for the CardMan 4040 PCMCIA reader (Linux 2.6.15 required). * Scdaemon does not anymore reset cards at the end of a connection. * Kludge to allow use of Bundesnetzagentur issued X.509 certificates. * Added --hash=xxx option to scdaemon's PKSIGN command. You may download GnuPG 1.9.92 from one of the mirrors as listed at http://www.gnupg.org/download/mirrors.html or direct from the master server ftp://ftp.gnupg.org: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.92.tar.bz2 (3703k) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.92.tar.bz2.sig or as a patch against the previous release: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.91-1.9.92.diff.bz2 (20k) SHA-1 checksums for the above files are: 8021f1b170bde91fa4e7126c0dd8db2c69c7a8f5 gnupg-1.9.92.tar.bz2 24b28871d3ffb60f79878b33286160ec55a9b3e6 gnupg-1.9.91-1.9.92.diff.bz2 For help on installing or running GnuPG 1.9 you should send mail to the gnupg-users mailing list or to one of the country specific lists. See http://www.gnupg.org/documentation/mailing-lists.html . Improving GnuPG is costly, but you can help! We are looking for organizations that find GnuPG useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or by donating money. Commercial support contracts for GnuPG are available, and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company owned and headed by gpg's principal author, is currently funding GnuPG development. We are always looking for interesting development projects. A service directory is available at http://www.gnupg.org/service.html . The GnuPG project is looking for a new logo. The contest runs until end of this month. See http://www.gnupg.org/misc/logo-contest.html Happy hacking, Werner -- Werner Koch The GnuPG Experts http://g10code.com Join the Fellowship and protect your Freedom! http://www.fsfe.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 205 bytes Desc: not available Url : /pipermail/attachments/20061011/ff2fd5b0/attachment.pgp From wk at gnupg.org Thu Oct 26 09:54:52 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Oct 26 09:56:55 2006 Subject: [Announce] GnuPG logo contest - 5 days to go Message-ID: <874ptrfr5f.fsf@wheatstone.g10code.de> Hi, this is reminder that the contest for a new GnuPG logo will close next Tuesday. We already got 13 promising submissions. There is still time to send more. Please read and follow the rules at http://www.gnupg.org/misc/logo-contest.html To support this contest you are also asked to donate money which will be given as a price to the winner of the contest (see above). The actual submissions will be published from November 1 on at http://logo-contest.gnupg.org/ The logos you currently see there are suggestions which have not been submitted to the contest. We hope to be able to announce a winner 10 days later at the Fellowship meeting of the FSFE at Bolzano [1]. Salam-Shalom, Werner [1] http://www.fsfe.org/en/events/first_international_annual_meeting_of_the_fellows_of_fsfe -- Werner Koch The GnuPG Experts http://g10code.com Join the Fellowship and protect your Freedom! http://www.fsfe.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 205 bytes Desc: not available Url : /pipermail/attachments/20061026/5d755de9/attachment.pgp From wk at gnupg.org Tue Oct 31 20:54:07 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Oct 31 20:56:19 2006 Subject: [Announce] libassuan 1.0.0 released Message-ID: <8764e0gt28.fsf@wheatstone.g10code.de> Hi! To prepare the GnuPG 2.0 release, Libassuan 1.0.0 has been released today. Libassuan is the IPC library used by GnuPG 1.9 and a couple of other packages. It used to be included with the these packages but we decided to make your life not too easy and separated it out to a stand alone library. Libassuan is available at ftp://ftp.gnupg.org/gcrypt/libassuan/libassuan-1.0.0.tar.bz2 (255k) ftp://ftp.gnupg.org/gcrypt/libassuan/libassuan-1.0.0.tar.bz2.sig There are no actual code changes since the last release, only some cleanups and a complete manual. The manual is online available at http://www.gnupg.org/documentation/manuals/assuan/ Shalom-Salam, Werner p.s. Commercial support contracts for Libassuan and related software are available, and they help finance continued maintenance. g10 Code, a Duesseldorf based company owned and headed by Libassuan's principal author, is currently funding Libassuan development. We are always looking for interesting development projects. -- Werner Koch The GnuPG Experts http://g10code.com Join the Fellowship and protect your Freedom! http://www.fsfe.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 205 bytes Desc: not available Url : /pipermail/attachments/20061031/0f4f7426/attachment.pgp From wk at gnupg.org Mon Nov 13 12:27:32 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Nov 13 12:30:23 2006 Subject: [Announce] GnuPG 2.0 released Message-ID: <87d57r37tn.fsf@wheatstone.g10code.de> Hello! The GNU project is pleased to announce the availability of a new stable GnuPG release: Version 2.0.0. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data, create digital signatures, help authenticating using Secure Shell and to provide a framework for public key cryptography. It includes an advanced key management facility and is compliant with the OpenPGP and S/MIME standards. GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.5) in that it splits up functionality into several modules. However, both versions may be installed alongside without any conflict. In fact, the gpg version from GnuPG-1 is able to make use of the gpg-agent as included in GnuPG-2 and allows for seamless passphrase caching. The advantage of GnuPG-1 is its smaller size and the lack of dependency on other modules at run and build time. We will keep maintaining GnuPG-1 versions because they are very useful for small systems and for server based applications requiring only OpenPGP support. GnuPG is distributed under the terms of the GNU General Public License (GPL). GnuPG-2 works best on GNU/Linux or *BSD systems. Other POSIX compliant systems are also supported but have not yet been tested very well. What's New in GnuPG-2 ===================== * The *gpg-agent* is the central place to maintain private keys and to cache passphrases. It is implemented as a daemon to be started with a user session. * *gpgsm* is an implementation of the X.509 and CMS standards and provides the cryptographic core to implement the S/MIME protocol. The command line interface is very similar to the one of gpg. This helps adding S/MIME to application currently providing OpenPGP support. * *scdaemon* is a daemon run by gpg-agent to access different types of smart cards using a unified interface. * *gpg-connect-agent* is a tool to help scripts directly accessing services of gpg-agent and scdaemon. * *gpgconf* is a tool to maintain the configuration files of all modules using a well defined API. * Support for Dirmngr, a separate package to maintain certificate revocation lists, do OCSP requests and to run LDAP queries. * Support for the Secure Shell Agent protocol. In fact, gpg-agent may be used as full replacement of the commonly used ssh-agent daemon. * Smart card support for the Secure Shell. * Documentation is now done in Texinfo. Thus besides Info, HTML and PDF versions may easily be generated. * Man pages for all tools. Getting the Software ==================== Please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 2.0.0 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the mirrors you should find the following files in the *gnupg* directory: gnupg-2.0.0.tar.bz2 (3.8M) gnupg-2.0.0.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. Please try another mirror if exceptional your mirror is not yet up to date. GnuPG-2 requires a couple of libraries to be installed; see the README file or the output of the configure run for details. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-2.0.0.tar.bz2 you would use this command: gpg --verify gnupg-2.0.0.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a key server like gpg --recv-key 1CE0C630 The distribution key 1CE0C630 is signed by the well known key 5B0358A2. If you get an key expired message, you should retrieve a fresh copy as the expiration date might have been prolonged. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-2.0.0.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-2.0.0.tar.bz2 and check that the output matches this: c335957368ea88bcb658922e7d3aae7e3ac6896d gnupg-2.0.0.tar.bz2 Internationalization ==================== GnuPG comes with support for 27 languages. Due to a lot of new and changed strings most translations are not entirely complete. However the Turkish and German translators have been very fast in completing their translations. The Russian one came in just a few hours too late. Updates of the other translations are expected for the next releases. Documentation ============= We are currently working on an installation guide to explain in more detail how to configure the new features. As of now the chapters on gpg-agent and gpgsm include brief information on how to set up the whole thing. Please watch the GnuPG website for updates of the documentation. In the meantime you may search the GnuPG mailing list archives or ask on the gnupg-users mailing lists for advise on how to solve problems. Many of the new features are around for several years and thus enough public knowledge is already available. Support ======= Improving GnuPG is costly, but you can help! We are looking for organizations that find GnuPG useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or by donating money. Commercial support contracts for GnuPG are available, and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company owned and headed by GnuPG's principal author, is currently funding GnuPG development. We are always looking for interesting development projects. A service directory is available at: http://www.gnupg.org/service.html Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word or answering questions on the mailing lists. Happy Hacking, The GnuPG Team (David, Werner and all other contributors) -- Werner Koch The GnuPG Experts http://g10code.com Join the Fellowship and protect your Freedom! http://www.fsfe.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20061113/ce9058ee/attachment.pgp From marcus.brinkmann at ruhr-uni-bochum.de Mon Nov 13 16:25:20 2006 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Mon Nov 13 17:24:09 2006 Subject: [Announce] Scute 1.0 released Message-ID: <87y7qfl673.wl%marcus.brinkmann@ruhr-uni-bochum.de> Hello! g10 Code GmbH is pleased to announce the availability of the new software package Scute. Scute is a PKCS #11 implementation for the OpenPGP card using the GnuPG 2.0 framework. It allows you to use your OpenPGP card for client authentication in Mozilla-based web browsers. Scute is distributed under the terms of the GNU General Public License (GPL). Scute works best on GNU/Linux or *BSD systems. Other POSIX compliant systems are also supported but have not yet been tested very well. Getting the Software ==================== Please follow the instructions found at http://www.scute.org/download.xhtml or read on: Scute may be downloaded from one of the GnuPG mirror sites or directly from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . On the mirrors you should find the following files in the *scute* directory: scute-1.0.0.tar.bz2 scute-1.0.0.tar.bz2.sig Scute source compressed using BZIP2 and OpenPGP signature. Please try another mirror if exceptional your mirror is not yet up to date. Scute requires a couple of libraries to be installed; see the README file for details. Checking the Integrity ====================== In order to check that the version of Scute which you are going to install is an original and unmodified one, simply check the supplied signature. For example to check the signature of the file scute-1.0.0.tar.bz2 you would use this command: gpg --verify scute-1.0.0.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a key server like gpg --recv-key 1CE0C630 The distribution key 1CE0C630 is signed by the well known key 5B0358A2. If you get an key expired message, you should retrieve a fresh copy as the expiration date might have been prolonged. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! Documentation ============= Documentation is currently only available in the file README. More detailed instructions will be part of the next version and become available on the web page in the next two weeks. Support ======= Improving Scute is costly, but you can help! We are looking for organizations that find Scute useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or by donating money. Commercial support contracts for Scute are available, and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company owned and headed by GnuPG's principal author, is currently funding Scute development. We are always looking for interesting development projects. Happy Hacking, The Scute Team (Werner and Marcus) From wk at gnupg.org Mon Nov 27 18:13:02 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Nov 27 19:04:50 2006 Subject: [Announce] GnuPG 1.4 and 2.0 buffer overflow Message-ID: <87mz6cke3l.fsf@wheatstone.g10code.de> GnuPG 1.4 and 2.0 buffer overflow ================================== Summary ======= While fixing a bug reported by Hugh Warrington, a buffer overflow has been identified in all released GnuPG versions. The current versions 1.4.5 and 2.0.0 are affected. A small patch is provided. Please do not send private mail in response to this message. The mailing list gnupg-devel is the best place to discuss this problem (please subscribe first so you don't need moderator approval [1]). Impact ====== When running GnuPG interactively, special crafted messages may be used to crash gpg or gpg2. Running gpg in batch mode, as done by all software using gpg as a backend (e.g. mailers), is not affected by this bug. Exploiting this overflow seems to be possible. gpg-agent, gpgsm, gpgv or other tools from the GnuPG suite are not affected. Solution ======== Apply the following patch to GnuPG. It should apply cleanly to current versions (1.4.5 as well as 2.0.0) but might also work for older versions. 2006-11-27 Werner Koch * openfile.c (ask_outfile_name): Fixed buffer overflow occurring if make_printable_string returns a longer string. Fixes bug 728. --- g10/openfile.c (revision 4348) +++ g10/openfile.c (working copy) @@ -144,8 +144,8 @@ s = _("Enter new filename"); - n = strlen(s) + namelen + 10; defname = name && namelen? make_printable_string( name, namelen, 0): NULL; + n = strlen(s) + (defname?strlen (defname):0) + 10; prompt = xmalloc(n); if( defname ) sprintf(prompt, "%s [%s]: ", s, defname ); Background: =========== The code in question has been introduced on July 1, 1999 and is a pretty obvious bug. make_printable_string is supposed to replace possible dangerous characters from a prompt and returns a malloced string. Thus this string may be longer than the orginal one; the buffer for the prompt has only be allocated at the size of the original string - oops. Note, that using snprintf would not have helped in this case. How I wish C-90 had introduced asprintf or at least it would be available on more platforms. The original bug report is at https://bugs.g10code.com/gnupg/issue728 . === [1] See http://lists.gnupg.org/mailman/listinfo/gnupg-devel . -- Werner Koch The GnuPG Experts http://g10code.com Join the Fellowship and protect your Freedom! http://www.fsfe.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 199 bytes Desc: not available Url : /pipermail/attachments/20061127/e34530af/attachment-0001.pgp From wk at gnupg.org Wed Nov 29 14:55:45 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Nov 29 14:57:53 2006 Subject: [Announce] GnuPG 2.0.1 released Message-ID: <877ixetl0e.fsf@wheatstone.g10code.de> Hello! We are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.1 This is maintenance release to fix build problems found after the release of 2.0.0 and to fix a buffer overflow in gpg2 The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data, create digital signatures, help authenticating using Secure Shell and to provide a framework for public key cryptography. It includes an advanced key management facility and is compliant with the OpenPGP and S/MIME standards. GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.5) in that it splits up functionality into several modules. However, both versions may be installed alongside without any conflict. In fact, the gpg version from GnuPG-1 is able to make use of the gpg-agent as included in GnuPG-2 and allows for seamless passphrase caching. The advantage of GnuPG-1 is its smaller size and the lack of dependency on other modules at run and build time. We will keep maintaining GnuPG-1 versions because they are very useful for small systems and for server based applications requiring only OpenPGP support. GnuPG is distributed under the terms of the GNU General Public License (GPL). GnuPG-2 works best on GNU/Linux or *BSD systems. A port Windows is planned but work has not yet started. Getting the Software ==================== Please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 2.0.1 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the mirrors you should find the following files in the *gnupg* directory: gnupg-2.0.1.tar.bz2 (3.8Mk) gnupg-2.0.1.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-2.0.0-2.0.1.diff.bz2 (220k) A patch file to upgrade a 2.0.0 GnuPG source. This is only that large arge due to an update of the included gettext module. Note, that we don't distribute gzip compressed tarballs. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-2.0.1.tar.bz2 you would use this command: gpg --verify gnupg-2.0.1.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a keyserver like gpg --recv-key 1CE0C630 The distribution key 1CE0C630 is signed by the well known key 5B0358A2. If you get an key expired message, you should retrieve a fresh copy as the expiration date might have been prolonged. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-2.0.1.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-2.0.1.tar.bz2 and check that the output matches the first line from the following list: ec84ffb1d2ac013dc0afb5bdf8b9df2c838673e9 gnupg-2.0.1.tar.bz2 c6cca309b12700503bb4c671491ebf7a4cd6f1be gnupg-2.0.0-2.0.1.diff.bz2 What's New =========== * Experimental support for the PIN pads of the SPR 532 and the Kaan Advanced card readers. Add "disable-keypad" scdaemon.conf if you don't want it. Does currently only work for the OpenPGP card and its authentication and decrypt keys. * Fixed build problems on some some platforms and crashes on amd64. * Fixed a buffer overflow in gpg2. [bug#728] Internationalization ==================== GnuPG comes with support for 27 languages. Due to a lot of new and changed strings most translations are not entirely complete. However the Turkish, German and Russian translators have meanwhile finished their translations. Updates of the other translations are expected for the next releases. Documentation ============= We are currently working on an installation guide to explain in more detail how to configure the new features. As of now the chapters on gpg-agent and gpgsm include brief information on how to set up the whole thing. Please watch the GnuPG website for updates of the documentation. In the meantime you may search the GnuPG mailing list archives or ask on the gnupg-users mailing lists for advise on how to solve problems. Many of the new features are around for several years and thus enough public knowledge is already available. Support ======= Improving GnuPG is costly, but you can help! We are looking for organizations that find GnuPG useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or by donating money. Commercial support contracts for GnuPG are available, and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company owned and headed by GnuPG's principal author, is currently funding GnuPG development. We are always looking for interesting development projects. A service directory is available at: http://www.gnupg.org/service.html Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word or answering questions on the mailing lists. Happy Hacking, The GnuPG Team (David, Werner and all other contributors) -- Werner Koch The GnuPG Experts http://g10code.com Join the Fellowship and protect your Freedom! http://www.fsfe.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20061129/3aba59ce/attachment.pgp From wk at gnupg.org Wed Nov 29 15:12:56 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Nov 29 15:15:06 2006 Subject: [Announce] Dirmngr 1.0.0 released Message-ID: <87u00is5nb.fsf@wheatstone.g10code.de> Hi! We are pleased to announce the availability of Dirmngr version 1.0.0. Dirmngr is a server for managing and downloading certificate revocation lists (CRLs) for X.509 certificates and for downloading the certificates themselves. Dirmngr also handles OCSP requests as an alternative to CRLs. Dirmngr is either invoked internally by gpgsm (from GnuPG-2) or when running as a system daemon through the dirmngr-client tool. Get it from: ftp://ftp.gnupg.org/gcrypt/dirmngr/dirmngr-1.0.0.tar.bz2 (416k) ftp://ftp.gnupg.org/gcrypt/dirmngr/dirmngr-1.0.0.tar.bz2.sig or as a patch against the last beta version: ftp://ftp.gnupg.org/gcrypt/alpha/dirmngr/dirmngr-0.9.7-1.0.0.diff.bz2 (35k) SHA-1 checksums are: 7ab362ec505ed154b00408bb4fd902bf4773fcea dirmngr-1.0.0.tar.bz2 6d4fee6f196daf65442b58ea923263ff5062796d dirmngr-0.9.7-1.0.0.diff.bz2 Whats new in this release ========================= * Bumbed the version number. * Removed included gettext. We now require the system to provide a suitable installation. Documentation ============= Dirmngr comes with man pages and as well as with a texinfo based manual. Run "info dirmngr" to read the manual or run make -C doc dirmngr.pdf to build a printable version. If you have questions on the use of Dirmngr, feel free to ask at gnupg-users@gnupg.org. Support ======= Improving Dirmngr is costly, but you can help! We are looking for organizations that find Dirmngr useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or by donating money. Commercial support contracts for Dirmngr are available, and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company owned and headed by GnuPG's principal author, is currently funding Dirmngr development. We are always looking for interesting development projects. A service directory is available at: http://www.gnupg.org/service.html Thanks ====== We have to thank all the people who helped with this release. In particular Steffen Hansen who wrote the initial version and the folks at Intevation GmbH who helped a lot by providing infrastructure for testing and development. Happy Hacking, Werner -- Werner Koch The GnuPG Experts http://g10code.com Join the Fellowship and protect your Freedom! http://www.fsfe.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20061129/df4613bb/attachment.pgp From wk at gnupg.org Sat Dec 2 18:45:07 2006 From: wk at gnupg.org (Werner Koch) Date: Sat Dec 2 18:46:53 2006 Subject: [Announce] Re: GnuPG Logo Contest In-Reply-To: <87ac4w9fji.fsf@wheatstone.g10code.de> (Werner Koch's message of "Tue\, 19 Sep 2006 15\:01\:05 +0200") References: <87ac4w9fji.fsf@wheatstone.g10code.de> Message-ID: <87slfy9opo.fsf@wheatstone.g10code.de> Hello, Back in September I announced a contest for a new GnuPG logo. By the end of October I received 41 submissions from 31 parties. The original plan was to let all the authors of GnuPG who signed a copyright assignment with the FSF to vote on a new logo. However, I only received 11 answers and there was no clear result: Only one submission got 2 votes. It would have been unfair to take this as a decision. So I looked around and found the CIVS [1] which implements a Condorcet voting system. I fed it with the addresses of all subscribers of the gnupg-users and gnupg-devel mailing lists and started the process. From the 1231 unique subscribers, 199 took the time to rank the submissions and casted their vote. This time the result is pretty clear: Thomas Wittek [2] from Cologne is the lucky winner. He will soon see his design used with GnuPG and also receive 50 percent of the received donation (we received as of now 215 Euro but further donations won't be rejected [3]). Unfortunately I can't offer him a mail alias thomas at gnupg because this has been assigned to the creator of the old logo. Ranks 2 and 3 are held by Robbie Tingey and Michel Blinn. They will receive an email alias for their contribution. If you like to see the new logo, point your browser to http://logo-contest.gnupg.org You will also find also the detailed results of the ballot, all submissions and the list of sponsors. I want to thank all who submitted a logo to the contest as well as those who worked on a logo but submitted it too late. There are some really cool designs and I hope that some can be reused for another project. Special thanks to the sponsors: Intevation GmbH, Markus Komosinski, Parag Mehta, Folkert van Heusden, Ralph Angenendt, Alexander Tomisch, Robert Workman, Simon Josefsson. The remaining funds will be used to help with a new website design. Many thanks to all, Werner [1] http://www.cs.cornell.edu/andru/civs.html [2] http://gedankenkonstrukt.de/ueber/ (German) [3] http://www.gnupg.org/misc/logo-contest.html -- Werner Koch The GnuPG Experts http://g10code.com Join the Fellowship and protect your Freedom! http://www.fsfe.org From wk at g10code.com Wed Dec 6 16:55:52 2006 From: wk at g10code.com (Werner Koch) Date: Wed Dec 6 18:03:24 2006 Subject: [Announce] GnuPG: remotely controllable function pointer [CVE-2006-6235] Message-ID: <87psaxc92v.fsf@wheatstone.g10code.de> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20061206/3de5c112/attachment-0001.pgp From wk at gnupg.org Thu Dec 7 17:07:12 2006 From: wk at gnupg.org (Werner Koch) Date: Thu, 07 Dec 2006 17:07:12 +0100 Subject: [Announce] Maintenance release for GnuPG 1.2.x Message-ID: <87psavbsgf.fsf@wheatstone.g10code.de> Hello, I am pleased to announce a security update to the 1.2 series of GnuPG: Version 1.2.8. The 1.2.x series has reached end of life status about 2 years ago. However, I make an update available for the sake of those who can't migrate to 1.4. There is no guarantee that all problems are solved in 1.2 - it is in general better to migrate to the activly maintained 1.4 series. You will find that version as well as corresponding signatures at the usual place (ftp://ftp.gnupg.org/gcrypt/gnupg/). Noteworthy changes in version 1.2.8 (2006-12-07) ------------------------------------------------ Backported security fixes. Note, that the 1.2.x series has reached end of life status. You should migrate to 1.4.x. * Fixed a serious and exploitable bug in processing encrypted packages. [CVE-2006-6235]. * Fixed a buffer overflow in gpg. [bug#728, CVE-2006-6169] * User IDs are now capped at 2048 bytes. This avoids a memory allocation attack [CVE-2006-3082]. * Added countermeasures against the Mister/Zuccherato CFB attack . Happy Hacking, Werner -- Werner Koch The GnuPG Experts http://g10code.com Join the Fellowship and protect your Freedom! http://www.fsfe.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20061207/2e2372f7/attachment.pgp