Trusted key problem with GPG 1.0.1

Werner Koch
Thu May 16 09:03:01 2002

On Wed, 15 May 2002 22:48:59 -0400, LW  said:

> they had installed GPG.  Then, to my disappointment, I learned it was
> only v. 1.0.1.

There are some security problems with 1.0.1 - you don't want to use it
all.  Please write to that provider and ask them why they are running
an insecure system; if they are not updating software like GnuPG it is
very likely that they do also run exploitbable servers and CGIs.

Noteworthy changes in version 1.0.4 (2000-10-17)

    * Fixed a serious bug which could lead to false signature verification
      results when more than one signature is fed to gpg.  This is the
      primary reason for releasing this version.

Noteworthy changes in version 1.0.5 (2001-04-29)

    * WARNING: Corrected hash calculation for input data larger than
      512M - it was just wrong, so you might notice bad signature in
      some very big files.  It may be wise to keep an old copy of
      GnuPG around.

Noteworthy changes in version 1.0.6 (2001-05-29)

    * Security fix for a format string bug in the tty code.

    * Fixed format string bugs in all PO files. 

And you might also want to check whether the zlib bug has been fixed;
this is exploitable unless gnupg was build with --enable-m-guard.