[Announce] [security fix] GnuPG 1.4.15 released

mirimir mirimir at riseup.net
Sun Oct 6 04:09:33 CEST 2013


On 10/05/2013 08:56 AM, Werner Koch wrote:

> Hello!
>     
> We are pleased to announce the availability of a new stable GnuPG-1
> release: Version 1.4.15.  This is a *security fix* release and all users
> are advised to updated to this version.  See below for the impact of the
> problem.

I'm using Thunderbird with Enigmail. Enigmail is at 1.5.2
(20130913-2148) and gpg is at 1.4.11. Is it best to wait for Enigmail to
update, or to update gpg manually?

> The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication
> and data storage.  It is a complete and free replacement of PGP and
> can be used to encrypt data and to create digital signatures.  It
> includes an advanced key management facility, smartcard support and is
> compliant with the OpenPGP Internet standard as described by RFC-4880.
> 
> Note that this version is from the GnuPG-1 series and thus smaller than
> those from the GnuPG-2 series, easier to build, and also better portable
> to ancient platforms.  In contrast to GnuPG-2 (e.g version 2.0.22) it
> comes with no support for S/MIME, Secure Shell, or other tools useful
> for desktop environments.  Fortunately you may install both versions
> alongside on the same system without any conflict.
> 
> 
> What's New
> ===========
> 
>   * Fixed possible infinite recursion in the compressed packet
>     parser. [CVE-2013-4402]
> 
>   * Protect against rogue keyservers sending secret keys.
> 
>   * Use 2048 bit also as default for batch key generation.
> 
>   * Minor bug fixes.
> 
> 
> Impact of the security problem
> ==============================
> 
> Special crafted input data may be used to cause a denial of service
> against GPG (GnuPG's OpenPGP part) and some other OpenPGP
> implementations.  All systems using GPG to process incoming data are
> affected.
> 
> Taylor R. Campbell invented a neat trick to generate OpenPGP packages
> to force GPG to recursively parse certain parts of OpenPGP messages ad
> infinitum.  As a workaround a tight "ulimit -v" setting may be used to
> mitigate the problem.  Sample input data to trigger this problem has
> not yet been seen in the wild.  Details of the attack will eventually
> be published by its inventor.
> 
> A fixed release of the GnuPG 2.0 series has also been released.
> 
> 
> Getting the Software
> ====================
> 
> First of all, decide whether you really need GnuPG version 1.4.x - most
> users are better off with the modern GnuPG 2.0.x version.  Then follow
> the instructions found at http://www.gnupg.org/download/ or read on:
> 
> GnuPG 1.4.15 may be downloaded from one of the GnuPG mirror sites or
> direct from ftp://ftp.gnupg.org/gcrypt/ .  The list of mirrors can be
> found at http://www.gnupg.org/mirrors.html .  Note, that GnuPG is not
> available at ftp.gnu.org.
> 
> On the mirrors you should find the following files in the *gnupg*
> directory:
> 
>   gnupg-1.4.15.tar.bz2 (3569k)
>   gnupg-1.4.15.tar.bz2.sig
> 
>       GnuPG source compressed using BZIP2 and OpenPGP signature.
> 
>   gnupg-1.4.15.tar.gz (4948k)
>   gnupg-1.4.15.tar.gz.sig
> 
>       GnuPG source compressed using GZIP and OpenPGP signature.
> 
>   gnupg-1.4.14-1.4.15.diff.bz2 (37k)
> 
>       A patch file to upgrade a 1.4.14 GnuPG source tree.  This patch
>       does not include updates of the language files.
> 
> Select one of them. To shorten the download time, you probably want to
> get the BZIP2 compressed file.  Please try another mirror if exceptional
> your mirror is not yet up to date.
> 
> In the *binary* directory, you should find these files:
> 
>   gnupg-w32cli-1.4.15.exe (1568k)
>   gnupg-w32cli-1.4.15.exe.sig
> 
>       GnuPG compiled for Microsoft Windows and OpenPGP signature.
>       This is a command line only version; the source files are the
>       same as given above.  Note, that this is a minimal installer and
>       unless you are just in need for the gpg binary, you are better
>       off using the full featured installer at http://www.gpg4win.org .
>       An updated version of gpg4win is scheduled for next week.
> 
> 
> Checking the Integrity
> ======================
> 
> In order to check that the version of GnuPG which you are going to
> install is an original and unmodified one, you can do it in one of
> the following ways:
> 
>  * If you already have a trusted version of GnuPG installed, you
>    can simply check the supplied signature.  For example to check the
>    signature of the file gnupg-1.4.15.tar.bz2 you would use this command:
> 
>      gpg --verify gnupg-1.4.15.tar.bz2.sig
> 
>    This checks whether the signature file matches the source file.
>    You should see a message indicating that the signature is good and
>    made by that signing key.  Make sure that you have the right key,
>    either by checking the fingerprint of that key with other sources
>    or by checking that the key has been signed by a trustworthy other
>    key.  Note, that you can retrieve the signing key using the command
> 
>      finger wk ,at' g10code.com | gpg --import
> 
>    or using a keyserver like
> 
>      gpg --recv-key 4F25E3B6
> 
>    The distribution key 4F25E3B6 is signed by the well known key
>    1E42B367.  If you get an key expired message, you should retrieve a
>    fresh copy as the expiration date might have been prolonged.
> 
>    NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE
>    INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION!
> 
>  * If you are not able to use an old version of GnuPG, you have to verify
>    the SHA-1 checksum.  Assuming you downloaded the file
>    gnupg-1.4.14.tar.bz2, you would run the sha1sum command like this:
> 
>      sha1sum gnupg-1.4.15.tar.bz2
> 
>    and check that the output matches the first line from the
>    following list:
> 
> 63ebf0ab375150903c65738070e4105200197fd4  gnupg-1.4.15.tar.bz2
> 2881c8174c15bb86ecf2e879cb7ca22c91fbcf93  gnupg-1.4.15.tar.gz
> 0e3a593da55be0fb9a556513ce034e13677e5ebc  gnupg-1.4.14-1.4.15.diff.bz2
> 1adda83f3eda5a2ac6d362c294e31fbb529a03e4  gnupg-w32cli-1.4.15.exe
> 
> 
> Internationalization
> ====================
> 
> GnuPG comes with support for 29 languages.  The Chinese (Simple and
> Traditional), Czech, Danish, Dutch, French, German, Norwegian, Polish,
> Romanian, Russian, Spanish, Swedish, Ukrainian, and Turkish translations
> are close to be complete.
> 
> 
> Support
> =======
> 
> A listing with commercial support offers for GnuPG is available at:
> 
>   http://www.gnupg.org/service.html
> 
> The driving force behind the development of GnuPG is the company of its
> principal author, Werner Koch.  Maintenance and improvement of GnuPG and
> related software take up a most of their resources.  To allow them
> continue their work they ask to either purchase a support contract,
> engage them for custom enhancements, or to donate money:
> 
>   http://g10code.com/gnupg-donation.html
> 
> 
> 
> Thanks
> ======
> 
> We have to thank all the people who helped with this release, be it
> testing, coding, translating, suggesting, auditing, donating money,
> spreading the word, or answering questions on the mailing lists.
> 
> 
> 
> Happy Hacking,
> 
>   The GnuPG Team
> 
> 
> 
> 
> _______________________________________________
> Gnupg-announce mailing list
> Gnupg-announce at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-announce
> 
> 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 




More information about the Gnupg-users mailing list