How to detect patched versus bugged gpg binary
mike at confidantmail.org
Tue Sep 6 06:43:13 CEST 2016
Question about GPG versions:
Due to CVE-2016-6313, I put out a new version of Confidant Mail where
the Windows and Mac binaries include GPG 1.4.21.
I also put in a pop-up dialog to warn if someone uses it with a
pre-1.4.21 version of GPG. However, Debian and Tails 2.6rc1
have patched 1.4.18 instead of using 1.4.21, and gpg --version does not
show the patch level. Is there any call to gpg that will
display the Debian patch level and tell me if the version I'm using is
fixed or not?
If not, I'm either going to have to remove the pop-up warning, or rely
on calling dpkg to ask the version.
More information about the Gnupg-users