From 3544beff86b324a855eb5a927673f12d74651889 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 4 Oct 2013 20:33:14 +0200 Subject: [PATCH] Post release updates. -- --- NEWS | 4 ++++ announce.txt | 59 ++++++++++++++++++++++++++++++++-------------------- configure.ac | 2 +- 3 files changed, 42 insertions(+), 23 deletions(-) diff --git a/NEWS b/NEWS index f38fed44d..cb53749bb 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,7 @@ +Noteworthy changes in version 2.0.23 (unreleased) +------------------------------------------------- + + Noteworthy changes in version 2.0.22 (2013-10-04) ------------------------------------------------- diff --git a/announce.txt b/announce.txt index 27dada799..384f57505 100644 --- a/announce.txt +++ b/announce.txt @@ -5,7 +5,9 @@ Mail-Followup-To: gnupg-users@gnupg.org Hello! We are pleased to announce the availability of a new stable GnuPG-2 -release: Version 2.0.21. +release: Version 2.0.22. This is a *security fix* release and all +users are advised to updated to this version. See below for the +impact of the problem. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data, create digital @@ -29,23 +31,36 @@ GnuPG is distributed under the terms of the GNU General Public License also available for other Unices, Microsoft Windows and Mac OS X. -What's New in 2.0.21 +What's New in 2.0.22 ==================== - * gpg-agent: By default the users are now asked via the Pinentry - whether they trust an X.509 root key. To prohibit interactive - marking of such keys, the new option --no-allow-mark-trusted may - be used. + * Fixed possible infinite recursion in the compressed packet + parser. [CVE-2013-4402] - * gpg-agent: The command KEYINFO has options to add info from - sshcontrol. + * Improved support for some card readers. - * The included ssh agent does now support ECDSA keys. + * Prepared building with the forthcoming Libgcrypt 1.6. - * The new option --enable-putty-support allows gpg-agent to act on - Windows as a Pageant replacement with full smartcard support. + * Protect against rogue keyservers sending secret keys. + + +Impact of the security problem +============================== + +Special crafted input data may be used to cause a denial of service +against GPG (GnuPG's OpenPGP part) and some other OpenPGP +implementations. All systems using GPG to process incoming data are +affected. + +Taylor R Campbell invented a neat trick to generate OpenPGP packages +to force GPG to recursively parse certain parts of OpenPGP messages ad +infinitum. As a workaround a tight "ulimit -v" setting may be used to +mitigate the problem. Sample input data to trigger this problem has +not yet been seen in the wild. Details of the attack will eventually +be published by its inventor. + +A fixed release of the GnuPG 1.4 series will be releases soon. - * Support installation as portable application under Windows. Getting the Software @@ -54,7 +69,7 @@ Getting the Software Please follow the instructions found at http://www.gnupg.org/download/ or read on: -GnuPG 2.0.21 may be downloaded from one of the GnuPG mirror sites or +GnuPG 2.0.22 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/gnupg/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. @@ -62,12 +77,12 @@ is not available at ftp.gnu.org. On the FTP server and its mirrors you should find the following files in the gnupg/ directory: - gnupg-2.0.21.tar.bz2 (4200k) - gnupg-2.0.21.tar.bz2.sig + gnupg-2.0.22.tar.bz2 (4200k) + gnupg-2.0.22.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. - gnupg-2.0.20-2.0.21.diff.bz2 (39k) + gnupg-2.0.20-2.0.22.diff.bz2 (39k) A patch file to upgrade a 2.0.20 GnuPG source tree. This patch does not include updates of the language files. @@ -84,9 +99,9 @@ the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the - signature of the file gnupg-2.0.21.tar.bz2 you would use this command: + signature of the file gnupg-2.0.22.tar.bz2 you would use this command: - gpg --verify gnupg-2.0.21.tar.bz2.sig + gpg --verify gnupg-2.0.22.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and @@ -109,15 +124,15 @@ the following ways: * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file - gnupg-2.0.21.tar.bz2, you would run the sha1sum command like this: + gnupg-2.0.22.tar.bz2, you would run the sha1sum command like this: - sha1sum gnupg-2.0.21.tar.bz2 + sha1sum gnupg-2.0.22.tar.bz2 and check that the output matches the first line from the following list: -5ba8cce72eb4fd1a3ac1a282d25d7c7b90d3bf26 gnupg-2.0.21.tar.bz2 -cd94a6267088eeff4735641b1fc832a1e6770ba3 gnupg-2.0.20-2.0.21.diff.bz2 +9ba9ee288e9bf813e0f1e25cbe06b58d3072d8b8 gnupg-2.0.22.tar.bz2 +6cc51b14ed652fe7eadae25ec7cdaa6f63377525 gnupg-2.0.21-2.0.22.diff.bz2 Documentation diff --git a/configure.ac b/configure.ac index 98141104b..f5d9c18e8 100644 --- a/configure.ac +++ b/configure.ac @@ -26,7 +26,7 @@ min_automake_version="1.10" # (git tag -s gnupg-2.n.m) and run "./autogen.sh --force". Please # bump the version number immediately *after* the release and do # another commit and push so that the git magic is able to work. -m4_define([mym4_version], [2.0.22]) +m4_define([mym4_version], [2.0.23]) # Below is m4 magic to extract and compute the git revision number, # the decimalized short revision number, a beta version string and a