1
0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-24 15:17:02 +01:00

Post release updates.

--
This commit is contained in:
Werner Koch 2013-10-04 20:33:14 +02:00
parent 210546ff68
commit 3544beff86
3 changed files with 42 additions and 23 deletions

4
NEWS
View File

@ -1,3 +1,7 @@
Noteworthy changes in version 2.0.23 (unreleased)
-------------------------------------------------
Noteworthy changes in version 2.0.22 (2013-10-04) Noteworthy changes in version 2.0.22 (2013-10-04)
------------------------------------------------- -------------------------------------------------

View File

@ -5,7 +5,9 @@ Mail-Followup-To: gnupg-users@gnupg.org
Hello! Hello!
We are pleased to announce the availability of a new stable GnuPG-2 We are pleased to announce the availability of a new stable GnuPG-2
release: Version 2.0.21. release: Version 2.0.22. This is a *security fix* release and all
users are advised to updated to this version. See below for the
impact of the problem.
The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication
and data storage. It can be used to encrypt data, create digital and data storage. It can be used to encrypt data, create digital
@ -29,23 +31,36 @@ GnuPG is distributed under the terms of the GNU General Public License
also available for other Unices, Microsoft Windows and Mac OS X. also available for other Unices, Microsoft Windows and Mac OS X.
What's New in 2.0.21 What's New in 2.0.22
==================== ====================
* gpg-agent: By default the users are now asked via the Pinentry * Fixed possible infinite recursion in the compressed packet
whether they trust an X.509 root key. To prohibit interactive parser. [CVE-2013-4402]
marking of such keys, the new option --no-allow-mark-trusted may
be used.
* gpg-agent: The command KEYINFO has options to add info from * Improved support for some card readers.
sshcontrol.
* The included ssh agent does now support ECDSA keys. * Prepared building with the forthcoming Libgcrypt 1.6.
* The new option --enable-putty-support allows gpg-agent to act on * Protect against rogue keyservers sending secret keys.
Windows as a Pageant replacement with full smartcard support.
Impact of the security problem
==============================
Special crafted input data may be used to cause a denial of service
against GPG (GnuPG's OpenPGP part) and some other OpenPGP
implementations. All systems using GPG to process incoming data are
affected.
Taylor R Campbell invented a neat trick to generate OpenPGP packages
to force GPG to recursively parse certain parts of OpenPGP messages ad
infinitum. As a workaround a tight "ulimit -v" setting may be used to
mitigate the problem. Sample input data to trigger this problem has
not yet been seen in the wild. Details of the attack will eventually
be published by its inventor.
A fixed release of the GnuPG 1.4 series will be releases soon.
* Support installation as portable application under Windows.
Getting the Software Getting the Software
@ -54,7 +69,7 @@ Getting the Software
Please follow the instructions found at http://www.gnupg.org/download/ Please follow the instructions found at http://www.gnupg.org/download/
or read on: or read on:
GnuPG 2.0.21 may be downloaded from one of the GnuPG mirror sites or GnuPG 2.0.22 may be downloaded from one of the GnuPG mirror sites or
direct from ftp://ftp.gnupg.org/gcrypt/gnupg/ . The list of mirrors direct from ftp://ftp.gnupg.org/gcrypt/gnupg/ . The list of mirrors
can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG
is not available at ftp.gnu.org. is not available at ftp.gnu.org.
@ -62,12 +77,12 @@ is not available at ftp.gnu.org.
On the FTP server and its mirrors you should find the following files On the FTP server and its mirrors you should find the following files
in the gnupg/ directory: in the gnupg/ directory:
gnupg-2.0.21.tar.bz2 (4200k) gnupg-2.0.22.tar.bz2 (4200k)
gnupg-2.0.21.tar.bz2.sig gnupg-2.0.22.tar.bz2.sig
GnuPG source compressed using BZIP2 and OpenPGP signature. GnuPG source compressed using BZIP2 and OpenPGP signature.
gnupg-2.0.20-2.0.21.diff.bz2 (39k) gnupg-2.0.20-2.0.22.diff.bz2 (39k)
A patch file to upgrade a 2.0.20 GnuPG source tree. This patch A patch file to upgrade a 2.0.20 GnuPG source tree. This patch
does not include updates of the language files. does not include updates of the language files.
@ -84,9 +99,9 @@ the following ways:
* If you already have a trusted version of GnuPG installed, you * If you already have a trusted version of GnuPG installed, you
can simply check the supplied signature. For example to check the can simply check the supplied signature. For example to check the
signature of the file gnupg-2.0.21.tar.bz2 you would use this command: signature of the file gnupg-2.0.22.tar.bz2 you would use this command:
gpg --verify gnupg-2.0.21.tar.bz2.sig gpg --verify gnupg-2.0.22.tar.bz2.sig
This checks whether the signature file matches the source file. This checks whether the signature file matches the source file.
You should see a message indicating that the signature is good and You should see a message indicating that the signature is good and
@ -109,15 +124,15 @@ the following ways:
* If you are not able to use an old version of GnuPG, you have to verify * If you are not able to use an old version of GnuPG, you have to verify
the SHA-1 checksum. Assuming you downloaded the file the SHA-1 checksum. Assuming you downloaded the file
gnupg-2.0.21.tar.bz2, you would run the sha1sum command like this: gnupg-2.0.22.tar.bz2, you would run the sha1sum command like this:
sha1sum gnupg-2.0.21.tar.bz2 sha1sum gnupg-2.0.22.tar.bz2
and check that the output matches the first line from the and check that the output matches the first line from the
following list: following list:
5ba8cce72eb4fd1a3ac1a282d25d7c7b90d3bf26 gnupg-2.0.21.tar.bz2 9ba9ee288e9bf813e0f1e25cbe06b58d3072d8b8 gnupg-2.0.22.tar.bz2
cd94a6267088eeff4735641b1fc832a1e6770ba3 gnupg-2.0.20-2.0.21.diff.bz2 6cc51b14ed652fe7eadae25ec7cdaa6f63377525 gnupg-2.0.21-2.0.22.diff.bz2
Documentation Documentation

View File

@ -26,7 +26,7 @@ min_automake_version="1.10"
# (git tag -s gnupg-2.n.m) and run "./autogen.sh --force". Please # (git tag -s gnupg-2.n.m) and run "./autogen.sh --force". Please
# bump the version number immediately *after* the release and do # bump the version number immediately *after* the release and do
# another commit and push so that the git magic is able to work. # another commit and push so that the git magic is able to work.
m4_define([mym4_version], [2.0.22]) m4_define([mym4_version], [2.0.23])
# Below is m4 magic to extract and compute the git revision number, # Below is m4 magic to extract and compute the git revision number,
# the decimalized short revision number, a beta version string and a # the decimalized short revision number, a beta version string and a