[Announce] GnuPG 2.1.0 "modern" released

Werner Koch wk at gnupg.org
Mon Nov 10 09:48:28 CET 2014


On Fri,  7 Nov 2014 22:21, sinic at sinic.name said:

> Invoking GnuPG that way is insecure without knowing the contents of the
> signature file. An attacker could have replaced it by something that's
> not, in fact, a detached signature.

I guess that this bug exists at least since 1.0.4 and I consider this a
serious flaw.  I am thinking about a proper solution which limts
breakage.

As a quick minimal fix I changed the instructions on the website.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-users mailing list