Post release updates.

--
2025-01-09 12:54:23 +01:00 · 2013-10-04 20:33:14 +02:00 · 2013-10-04 20:33:14 +02:00 · 3544beff86
commit 3544beff86
parent 210546ff68
3 changed files with 42 additions and 23 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
 Noteworthy changes in version 2.0.23 (unreleased)
 -------------------------------------------------
 Noteworthy changes in version 2.0.22 (2013-10-04)
 -------------------------------------------------
--- a/announce.txt
+++ b/announce.txt
@ -5,7 +5,9 @@ Mail-Followup-To: gnupg-users@gnupg.org
 Hello!
 We are pleased to announce the availability of a new stable GnuPG-2
-release:  Version 2.0.21.
+release: Version 2.0.22.  This is a *security fix* release and all
 users are advised to updated to this version.  See below for the
 impact of the problem.
 The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication
 and data storage.  It can be used to encrypt data, create digital
@ -29,23 +31,36 @@ GnuPG is distributed under the terms of the GNU General Public License
 also available for other Unices, Microsoft Windows and Mac OS X.
-What's New in 2.0.21
+What's New in 2.0.22
 ====================
- * gpg-agent: By default the users are now asked via the Pinentry
+ * Fixed possible infinite recursion in the compressed packet
-   whether they trust an X.509 root key.  To prohibit interactive
+   parser. [CVE-2013-4402]
   marking of such keys, the new option --no-allow-mark-trusted may
   be used.
- * gpg-agent: The command KEYINFO has options to add info from
+ * Improved support for some card readers.
   sshcontrol.
- * The included ssh agent does now support ECDSA keys.
+ * Prepared building with the forthcoming Libgcrypt 1.6.
- * The new option --enable-putty-support allows gpg-agent to act on
+ * Protect against rogue keyservers sending secret keys.
-   Windows as a Pageant replacement with full smartcard support.
+
 Impact of the security problem
 ==============================
 Special crafted input data may be used to cause a denial of service
 against GPG (GnuPG's OpenPGP part) and some other OpenPGP
 implementations.  All systems using GPG to process incoming data are
 affected.
 Taylor R Campbell invented a neat trick to generate OpenPGP packages
 to force GPG to recursively parse certain parts of OpenPGP messages ad
 infinitum.  As a workaround a tight "ulimit -v" setting may be used to
 mitigate the problem.  Sample input data to trigger this problem has
 not yet been seen in the wild.  Details of the attack will eventually
 be published by its inventor.
 A fixed release of the GnuPG 1.4 series will be releases soon.
 * Support installation as portable application under Windows.
 Getting the Software
@ -54,7 +69,7 @@ Getting the Software
 Please follow the instructions found at http://www.gnupg.org/download/
 or read on:
-GnuPG 2.0.21 may be downloaded from one of the GnuPG mirror sites or
+GnuPG 2.0.22 may be downloaded from one of the GnuPG mirror sites or
 direct from ftp://ftp.gnupg.org/gcrypt/gnupg/ .  The list of mirrors
 can be found at http://www.gnupg.org/mirrors.html .  Note, that GnuPG
 is not available at ftp.gnu.org.
@ -62,12 +77,12 @@ is not available at ftp.gnu.org.
 On the FTP server and its mirrors you should find the following files
 in the gnupg/ directory:
-  gnupg-2.0.21.tar.bz2 (4200k)
+  gnupg-2.0.22.tar.bz2 (4200k)
-  gnupg-2.0.21.tar.bz2.sig
+  gnupg-2.0.22.tar.bz2.sig
      GnuPG source compressed using BZIP2 and OpenPGP signature.
-  gnupg-2.0.20-2.0.21.diff.bz2 (39k)
+  gnupg-2.0.20-2.0.22.diff.bz2 (39k)
      A patch file to upgrade a 2.0.20 GnuPG source tree.  This patch
      does not include updates of the language files.
@ -84,9 +99,9 @@ the following ways:
 * If you already have a trusted version of GnuPG installed, you
   can simply check the supplied signature.  For example to check the
-   signature of the file gnupg-2.0.21.tar.bz2 you would use this command:
+   signature of the file gnupg-2.0.22.tar.bz2 you would use this command:
-     gpg --verify gnupg-2.0.21.tar.bz2.sig
+     gpg --verify gnupg-2.0.22.tar.bz2.sig
   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
@ -109,15 +124,15 @@ the following ways:
 * If you are not able to use an old version of GnuPG, you have to verify
   the SHA-1 checksum.  Assuming you downloaded the file
-   gnupg-2.0.21.tar.bz2, you would run the sha1sum command like this:
+   gnupg-2.0.22.tar.bz2, you would run the sha1sum command like this:
-     sha1sum gnupg-2.0.21.tar.bz2
+     sha1sum gnupg-2.0.22.tar.bz2
   and check that the output matches the first line from the
   following list:
-5ba8cce72eb4fd1a3ac1a282d25d7c7b90d3bf26  gnupg-2.0.21.tar.bz2
+9ba9ee288e9bf813e0f1e25cbe06b58d3072d8b8  gnupg-2.0.22.tar.bz2
-cd94a6267088eeff4735641b1fc832a1e6770ba3  gnupg-2.0.20-2.0.21.diff.bz2
+6cc51b14ed652fe7eadae25ec7cdaa6f63377525  gnupg-2.0.21-2.0.22.diff.bz2
 Documentation
--- a/configure.ac
+++ b/configure.ac
@ -26,7 +26,7 @@ min_automake_version="1.10"
 # (git tag -s gnupg-2.n.m) and run "./autogen.sh --force".  Please
 # bump the version number immediately *after* the release and do
 # another commit and push so that the git magic is able to work.
-m4_define([mym4_version], [2.0.22])
+m4_define([mym4_version], [2.0.23])
 # Below is m4 magic to extract and compute the git revision number,
 # the decimalized short revision number, a beta version string and a