Trusted key problem with GPG 1.0.1
Werner Koch
wk@gnupg.org
Thu May 16 09:03:01 2002
On Wed, 15 May 2002 22:48:59 -0400, LW said:
> they had installed GPG. Then, to my disappointment, I learned it was
> only v. 1.0.1.
There are some security problems with 1.0.1 - you don't want to use it
all. Please write to that provider and ask them why they are running
an insecure system; if they are not updating software like GnuPG it is
very likely that they do also run exploitbable servers and CGIs.
Noteworthy changes in version 1.0.4 (2000-10-17)
------------------------------------------------
* Fixed a serious bug which could lead to false signature verification
results when more than one signature is fed to gpg. This is the
primary reason for releasing this version.
Noteworthy changes in version 1.0.5 (2001-04-29)
------------------------------------------------
* WARNING: Corrected hash calculation for input data larger than
512M - it was just wrong, so you might notice bad signature in
some very big files. It may be wise to keep an old copy of
GnuPG around.
Noteworthy changes in version 1.0.6 (2001-05-29)
------------------------------------------------
* Security fix for a format string bug in the tty code.
* Fixed format string bugs in all PO files.
And you might also want to check whether the zlib bug has been fixed;
this is exploitable unless gnupg was build with --enable-m-guard.
Werner