Don't use 0.3.5 !!!

Kirk Fort kfort at kfort.dyn.ml.org
Fri Sep 18 10:16:59 CEST 1998 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a little off track, but does anyone have any good ideas on how to
check those detached signatures using pine and gpg? If you hit e to export
the msg it copies the headers too and thats no good for a detached
signature.  I guess I could write a program to strip out the headers and
mime stuff if I can figure out where exactly that begin and end.  I also
found it a little humourous that the precedence on werner's message was
'bulk'.  I will look at diffs if it helps out werner and the project. I
know its tough coding encryption stuff. Alot of pressure to do it right.
I also noticed last night that I wasn't able to decrypt messages made with
gpg with pgp.  I didn't test this extensively, but it appeared to be
different then what was happening in 0.3.4 . The message was done using
cast5 and I even tried the -z 0 option.  I guess signatures are still good
since I believe they are just encrypted using the public key scheme.  oh
btw, I was never able to get gpg -c encrypt the multiple files.  I thought
I had it working but it didn't.  I tried about 3 or 4 different ways to do
it and always came up with a bug I couldn't figure out.  So goes
programming I guess.

Kirk


On Fri, 18 Sep 1998, Werner Koch wrote:

> Please do not use vesion 0.3.5 of GNUPG!
>
> I have applied a SERIOUS bug while implementing the weak key detection
> code!
>
> All session keys (not the public keys) and keys for conventional
> encryption are NOT random!
>
>             DON'T USE THIS VERSION!
>
> I moved a line of code instead of copying it.  See g10/seskey.c
> function make_session_key() - It is a very stupid bug.
>
> I apologize for this bad version.
>
> To avoid such hassle in the future I'd suggest that some of you
> should look over the diffs to see whether there might be serious
> problems.  A complete code-walk would be goog idea anyway.
>
>
> Sorry,
>
>    Werner
>
>

-----BEGIN PGP SIGNATURE-----
Version: GNUPG v0.3.5 (FreeBSD)
Comment: Get GNUPG from ftp://ftp.guug.de/pub/gcrypt/

iEYEARECAAYFAjYCXVEACgkQf+niZZlBRVN78wCeNExsb/k+cgd91nZegAOwN3fbFLUAn1un
sgit2RlR9f9ulBwuXD6Nl86D
=HDUV
-----END PGP SIGNATURE-----

More information about the Gnupg-devel mailing list