[Announce] [security fix] GnuPG 1.4.15 released
mirimir
mirimir at riseup.net
Sun Oct 6 04:09:33 CEST 2013
On 10/05/2013 08:56 AM, Werner Koch wrote:
> Hello!
>
> We are pleased to announce the availability of a new stable GnuPG-1
> release: Version 1.4.15. This is a *security fix* release and all users
> are advised to updated to this version. See below for the impact of the
> problem.
I'm using Thunderbird with Enigmail. Enigmail is at 1.5.2
(20130913-2148) and gpg is at 1.4.11. Is it best to wait for Enigmail to
update, or to update gpg manually?
> The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication
> and data storage. It is a complete and free replacement of PGP and
> can be used to encrypt data and to create digital signatures. It
> includes an advanced key management facility, smartcard support and is
> compliant with the OpenPGP Internet standard as described by RFC-4880.
>
> Note that this version is from the GnuPG-1 series and thus smaller than
> those from the GnuPG-2 series, easier to build, and also better portable
> to ancient platforms. In contrast to GnuPG-2 (e.g version 2.0.22) it
> comes with no support for S/MIME, Secure Shell, or other tools useful
> for desktop environments. Fortunately you may install both versions
> alongside on the same system without any conflict.
>
>
> What's New
> ===========
>
> * Fixed possible infinite recursion in the compressed packet
> parser. [CVE-2013-4402]
>
> * Protect against rogue keyservers sending secret keys.
>
> * Use 2048 bit also as default for batch key generation.
>
> * Minor bug fixes.
>
>
> Impact of the security problem
> ==============================
>
> Special crafted input data may be used to cause a denial of service
> against GPG (GnuPG's OpenPGP part) and some other OpenPGP
> implementations. All systems using GPG to process incoming data are
> affected.
>
> Taylor R. Campbell invented a neat trick to generate OpenPGP packages
> to force GPG to recursively parse certain parts of OpenPGP messages ad
> infinitum. As a workaround a tight "ulimit -v" setting may be used to
> mitigate the problem. Sample input data to trigger this problem has
> not yet been seen in the wild. Details of the attack will eventually
> be published by its inventor.
>
> A fixed release of the GnuPG 2.0 series has also been released.
>
>
> Getting the Software
> ====================
>
> First of all, decide whether you really need GnuPG version 1.4.x - most
> users are better off with the modern GnuPG 2.0.x version. Then follow
> the instructions found at http://www.gnupg.org/download/ or read on:
>
> GnuPG 1.4.15 may be downloaded from one of the GnuPG mirror sites or
> direct from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be
> found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not
> available at ftp.gnu.org.
>
> On the mirrors you should find the following files in the *gnupg*
> directory:
>
> gnupg-1.4.15.tar.bz2 (3569k)
> gnupg-1.4.15.tar.bz2.sig
>
> GnuPG source compressed using BZIP2 and OpenPGP signature.
>
> gnupg-1.4.15.tar.gz (4948k)
> gnupg-1.4.15.tar.gz.sig
>
> GnuPG source compressed using GZIP and OpenPGP signature.
>
> gnupg-1.4.14-1.4.15.diff.bz2 (37k)
>
> A patch file to upgrade a 1.4.14 GnuPG source tree. This patch
> does not include updates of the language files.
>
> Select one of them. To shorten the download time, you probably want to
> get the BZIP2 compressed file. Please try another mirror if exceptional
> your mirror is not yet up to date.
>
> In the *binary* directory, you should find these files:
>
> gnupg-w32cli-1.4.15.exe (1568k)
> gnupg-w32cli-1.4.15.exe.sig
>
> GnuPG compiled for Microsoft Windows and OpenPGP signature.
> This is a command line only version; the source files are the
> same as given above. Note, that this is a minimal installer and
> unless you are just in need for the gpg binary, you are better
> off using the full featured installer at http://www.gpg4win.org .
> An updated version of gpg4win is scheduled for next week.
>
>
> Checking the Integrity
> ======================
>
> In order to check that the version of GnuPG which you are going to
> install is an original and unmodified one, you can do it in one of
> the following ways:
>
> * If you already have a trusted version of GnuPG installed, you
> can simply check the supplied signature. For example to check the
> signature of the file gnupg-1.4.15.tar.bz2 you would use this command:
>
> gpg --verify gnupg-1.4.15.tar.bz2.sig
>
> This checks whether the signature file matches the source file.
> You should see a message indicating that the signature is good and
> made by that signing key. Make sure that you have the right key,
> either by checking the fingerprint of that key with other sources
> or by checking that the key has been signed by a trustworthy other
> key. Note, that you can retrieve the signing key using the command
>
> finger wk ,at' g10code.com | gpg --import
>
> or using a keyserver like
>
> gpg --recv-key 4F25E3B6
>
> The distribution key 4F25E3B6 is signed by the well known key
> 1E42B367. If you get an key expired message, you should retrieve a
> fresh copy as the expiration date might have been prolonged.
>
> NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE
> INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION!
>
> * If you are not able to use an old version of GnuPG, you have to verify
> the SHA-1 checksum. Assuming you downloaded the file
> gnupg-1.4.14.tar.bz2, you would run the sha1sum command like this:
>
> sha1sum gnupg-1.4.15.tar.bz2
>
> and check that the output matches the first line from the
> following list:
>
> 63ebf0ab375150903c65738070e4105200197fd4 gnupg-1.4.15.tar.bz2
> 2881c8174c15bb86ecf2e879cb7ca22c91fbcf93 gnupg-1.4.15.tar.gz
> 0e3a593da55be0fb9a556513ce034e13677e5ebc gnupg-1.4.14-1.4.15.diff.bz2
> 1adda83f3eda5a2ac6d362c294e31fbb529a03e4 gnupg-w32cli-1.4.15.exe
>
>
> Internationalization
> ====================
>
> GnuPG comes with support for 29 languages. The Chinese (Simple and
> Traditional), Czech, Danish, Dutch, French, German, Norwegian, Polish,
> Romanian, Russian, Spanish, Swedish, Ukrainian, and Turkish translations
> are close to be complete.
>
>
> Support
> =======
>
> A listing with commercial support offers for GnuPG is available at:
>
> http://www.gnupg.org/service.html
>
> The driving force behind the development of GnuPG is the company of its
> principal author, Werner Koch. Maintenance and improvement of GnuPG and
> related software take up a most of their resources. To allow them
> continue their work they ask to either purchase a support contract,
> engage them for custom enhancements, or to donate money:
>
> http://g10code.com/gnupg-donation.html
>
>
>
> Thanks
> ======
>
> We have to thank all the people who helped with this release, be it
> testing, coding, translating, suggesting, auditing, donating money,
> spreading the word, or answering questions on the mailing lists.
>
>
>
> Happy Hacking,
>
> The GnuPG Team
>
>
>
>
> _______________________________________________
> Gnupg-announce mailing list
> Gnupg-announce at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-announce
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
More information about the Gnupg-users
mailing list