[Announce] [security fix] Libgcrypt and GnuPG
Pete Stephenson
pete at heypete.com
Fri Aug 8 23:34:30 CEST 2014
On Fri, Aug 8, 2014 at 12:17 PM, Werner Koch <wk at gnupg.org> wrote:
> Hi!
>
> While evaluating the "Get Your Hands Off My Laptop" [1] paper I missed
> to describe [2] a software combination which has not been fixed and is
> thus vulnerable to the attack described by the paper. If you are using
> a GnuPG version with a *Libgcrypt version < 1.6.0*, it is possible to
> mount the described side-channel attack on Elgamal encryption subkeys.
> To check whether you are using a vulnerable Libgcrypt version, enter
>
> gpg2 --version
>
> on the command line; the second line of the output gives the Libgcrypt
> version:
>
> gpg (GnuPG) 2.0.25
> libgcrypt 1.5.3
>
> In this example Libgcrypt is vulnerable. If you see 1.6.0 or 1.6.1 you
> are fine. GnuPG versions since 1.4.16 are not affected because they do
> not use Libgcrypt.
Does this vulnerability apply to gpg4win users?
There's been no gpg4win updates since October of 2013 and there have
been several updates of GnuPG since then. I am somewhat concerned.
Is there any information about when an update for Windows users might
be released?
Cheers!
-Pete
--
Pete Stephenson
More information about the Gnupg-users
mailing list