1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

Post release updates.

--
This commit is contained in:
Werner Koch 2013-10-04 20:33:14 +02:00
parent 210546ff68
commit 3544beff86
3 changed files with 42 additions and 23 deletions

4
NEWS
View File

@ -1,3 +1,7 @@
Noteworthy changes in version 2.0.23 (unreleased)
-------------------------------------------------
Noteworthy changes in version 2.0.22 (2013-10-04)
-------------------------------------------------

View File

@ -5,7 +5,9 @@ Mail-Followup-To: gnupg-users@gnupg.org
Hello!
We are pleased to announce the availability of a new stable GnuPG-2
release: Version 2.0.21.
release: Version 2.0.22. This is a *security fix* release and all
users are advised to updated to this version. See below for the
impact of the problem.
The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication
and data storage. It can be used to encrypt data, create digital
@ -29,23 +31,36 @@ GnuPG is distributed under the terms of the GNU General Public License
also available for other Unices, Microsoft Windows and Mac OS X.
What's New in 2.0.21
What's New in 2.0.22
====================
* gpg-agent: By default the users are now asked via the Pinentry
whether they trust an X.509 root key. To prohibit interactive
marking of such keys, the new option --no-allow-mark-trusted may
be used.
* Fixed possible infinite recursion in the compressed packet
parser. [CVE-2013-4402]
* gpg-agent: The command KEYINFO has options to add info from
sshcontrol.
* Improved support for some card readers.
* The included ssh agent does now support ECDSA keys.
* Prepared building with the forthcoming Libgcrypt 1.6.
* The new option --enable-putty-support allows gpg-agent to act on
Windows as a Pageant replacement with full smartcard support.
* Protect against rogue keyservers sending secret keys.
Impact of the security problem
==============================
Special crafted input data may be used to cause a denial of service
against GPG (GnuPG's OpenPGP part) and some other OpenPGP
implementations. All systems using GPG to process incoming data are
affected.
Taylor R Campbell invented a neat trick to generate OpenPGP packages
to force GPG to recursively parse certain parts of OpenPGP messages ad
infinitum. As a workaround a tight "ulimit -v" setting may be used to
mitigate the problem. Sample input data to trigger this problem has
not yet been seen in the wild. Details of the attack will eventually
be published by its inventor.
A fixed release of the GnuPG 1.4 series will be releases soon.
* Support installation as portable application under Windows.
Getting the Software
@ -54,7 +69,7 @@ Getting the Software
Please follow the instructions found at http://www.gnupg.org/download/
or read on:
GnuPG 2.0.21 may be downloaded from one of the GnuPG mirror sites or
GnuPG 2.0.22 may be downloaded from one of the GnuPG mirror sites or
direct from ftp://ftp.gnupg.org/gcrypt/gnupg/ . The list of mirrors
can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG
is not available at ftp.gnu.org.
@ -62,12 +77,12 @@ is not available at ftp.gnu.org.
On the FTP server and its mirrors you should find the following files
in the gnupg/ directory:
gnupg-2.0.21.tar.bz2 (4200k)
gnupg-2.0.21.tar.bz2.sig
gnupg-2.0.22.tar.bz2 (4200k)
gnupg-2.0.22.tar.bz2.sig
GnuPG source compressed using BZIP2 and OpenPGP signature.
gnupg-2.0.20-2.0.21.diff.bz2 (39k)
gnupg-2.0.20-2.0.22.diff.bz2 (39k)
A patch file to upgrade a 2.0.20 GnuPG source tree. This patch
does not include updates of the language files.
@ -84,9 +99,9 @@ the following ways:
* If you already have a trusted version of GnuPG installed, you
can simply check the supplied signature. For example to check the
signature of the file gnupg-2.0.21.tar.bz2 you would use this command:
signature of the file gnupg-2.0.22.tar.bz2 you would use this command:
gpg --verify gnupg-2.0.21.tar.bz2.sig
gpg --verify gnupg-2.0.22.tar.bz2.sig
This checks whether the signature file matches the source file.
You should see a message indicating that the signature is good and
@ -109,15 +124,15 @@ the following ways:
* If you are not able to use an old version of GnuPG, you have to verify
the SHA-1 checksum. Assuming you downloaded the file
gnupg-2.0.21.tar.bz2, you would run the sha1sum command like this:
gnupg-2.0.22.tar.bz2, you would run the sha1sum command like this:
sha1sum gnupg-2.0.21.tar.bz2
sha1sum gnupg-2.0.22.tar.bz2
and check that the output matches the first line from the
following list:
5ba8cce72eb4fd1a3ac1a282d25d7c7b90d3bf26 gnupg-2.0.21.tar.bz2
cd94a6267088eeff4735641b1fc832a1e6770ba3 gnupg-2.0.20-2.0.21.diff.bz2
9ba9ee288e9bf813e0f1e25cbe06b58d3072d8b8 gnupg-2.0.22.tar.bz2
6cc51b14ed652fe7eadae25ec7cdaa6f63377525 gnupg-2.0.21-2.0.22.diff.bz2
Documentation

View File

@ -26,7 +26,7 @@ min_automake_version="1.10"
# (git tag -s gnupg-2.n.m) and run "./autogen.sh --force". Please
# bump the version number immediately *after* the release and do
# another commit and push so that the git magic is able to work.
m4_define([mym4_version], [2.0.22])
m4_define([mym4_version], [2.0.23])
# Below is m4 magic to extract and compute the git revision number,
# the decimalized short revision number, a beta version string and a