mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
Post release updates.
--
This commit is contained in:
parent
210546ff68
commit
3544beff86
4
NEWS
4
NEWS
@ -1,3 +1,7 @@
|
||||
Noteworthy changes in version 2.0.23 (unreleased)
|
||||
-------------------------------------------------
|
||||
|
||||
|
||||
Noteworthy changes in version 2.0.22 (2013-10-04)
|
||||
-------------------------------------------------
|
||||
|
||||
|
59
announce.txt
59
announce.txt
@ -5,7 +5,9 @@ Mail-Followup-To: gnupg-users@gnupg.org
|
||||
Hello!
|
||||
|
||||
We are pleased to announce the availability of a new stable GnuPG-2
|
||||
release: Version 2.0.21.
|
||||
release: Version 2.0.22. This is a *security fix* release and all
|
||||
users are advised to updated to this version. See below for the
|
||||
impact of the problem.
|
||||
|
||||
The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication
|
||||
and data storage. It can be used to encrypt data, create digital
|
||||
@ -29,23 +31,36 @@ GnuPG is distributed under the terms of the GNU General Public License
|
||||
also available for other Unices, Microsoft Windows and Mac OS X.
|
||||
|
||||
|
||||
What's New in 2.0.21
|
||||
What's New in 2.0.22
|
||||
====================
|
||||
|
||||
* gpg-agent: By default the users are now asked via the Pinentry
|
||||
whether they trust an X.509 root key. To prohibit interactive
|
||||
marking of such keys, the new option --no-allow-mark-trusted may
|
||||
be used.
|
||||
* Fixed possible infinite recursion in the compressed packet
|
||||
parser. [CVE-2013-4402]
|
||||
|
||||
* gpg-agent: The command KEYINFO has options to add info from
|
||||
sshcontrol.
|
||||
* Improved support for some card readers.
|
||||
|
||||
* The included ssh agent does now support ECDSA keys.
|
||||
* Prepared building with the forthcoming Libgcrypt 1.6.
|
||||
|
||||
* The new option --enable-putty-support allows gpg-agent to act on
|
||||
Windows as a Pageant replacement with full smartcard support.
|
||||
* Protect against rogue keyservers sending secret keys.
|
||||
|
||||
|
||||
Impact of the security problem
|
||||
==============================
|
||||
|
||||
Special crafted input data may be used to cause a denial of service
|
||||
against GPG (GnuPG's OpenPGP part) and some other OpenPGP
|
||||
implementations. All systems using GPG to process incoming data are
|
||||
affected.
|
||||
|
||||
Taylor R Campbell invented a neat trick to generate OpenPGP packages
|
||||
to force GPG to recursively parse certain parts of OpenPGP messages ad
|
||||
infinitum. As a workaround a tight "ulimit -v" setting may be used to
|
||||
mitigate the problem. Sample input data to trigger this problem has
|
||||
not yet been seen in the wild. Details of the attack will eventually
|
||||
be published by its inventor.
|
||||
|
||||
A fixed release of the GnuPG 1.4 series will be releases soon.
|
||||
|
||||
* Support installation as portable application under Windows.
|
||||
|
||||
|
||||
Getting the Software
|
||||
@ -54,7 +69,7 @@ Getting the Software
|
||||
Please follow the instructions found at http://www.gnupg.org/download/
|
||||
or read on:
|
||||
|
||||
GnuPG 2.0.21 may be downloaded from one of the GnuPG mirror sites or
|
||||
GnuPG 2.0.22 may be downloaded from one of the GnuPG mirror sites or
|
||||
direct from ftp://ftp.gnupg.org/gcrypt/gnupg/ . The list of mirrors
|
||||
can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG
|
||||
is not available at ftp.gnu.org.
|
||||
@ -62,12 +77,12 @@ is not available at ftp.gnu.org.
|
||||
On the FTP server and its mirrors you should find the following files
|
||||
in the gnupg/ directory:
|
||||
|
||||
gnupg-2.0.21.tar.bz2 (4200k)
|
||||
gnupg-2.0.21.tar.bz2.sig
|
||||
gnupg-2.0.22.tar.bz2 (4200k)
|
||||
gnupg-2.0.22.tar.bz2.sig
|
||||
|
||||
GnuPG source compressed using BZIP2 and OpenPGP signature.
|
||||
|
||||
gnupg-2.0.20-2.0.21.diff.bz2 (39k)
|
||||
gnupg-2.0.20-2.0.22.diff.bz2 (39k)
|
||||
|
||||
A patch file to upgrade a 2.0.20 GnuPG source tree. This patch
|
||||
does not include updates of the language files.
|
||||
@ -84,9 +99,9 @@ the following ways:
|
||||
|
||||
* If you already have a trusted version of GnuPG installed, you
|
||||
can simply check the supplied signature. For example to check the
|
||||
signature of the file gnupg-2.0.21.tar.bz2 you would use this command:
|
||||
signature of the file gnupg-2.0.22.tar.bz2 you would use this command:
|
||||
|
||||
gpg --verify gnupg-2.0.21.tar.bz2.sig
|
||||
gpg --verify gnupg-2.0.22.tar.bz2.sig
|
||||
|
||||
This checks whether the signature file matches the source file.
|
||||
You should see a message indicating that the signature is good and
|
||||
@ -109,15 +124,15 @@ the following ways:
|
||||
|
||||
* If you are not able to use an old version of GnuPG, you have to verify
|
||||
the SHA-1 checksum. Assuming you downloaded the file
|
||||
gnupg-2.0.21.tar.bz2, you would run the sha1sum command like this:
|
||||
gnupg-2.0.22.tar.bz2, you would run the sha1sum command like this:
|
||||
|
||||
sha1sum gnupg-2.0.21.tar.bz2
|
||||
sha1sum gnupg-2.0.22.tar.bz2
|
||||
|
||||
and check that the output matches the first line from the
|
||||
following list:
|
||||
|
||||
5ba8cce72eb4fd1a3ac1a282d25d7c7b90d3bf26 gnupg-2.0.21.tar.bz2
|
||||
cd94a6267088eeff4735641b1fc832a1e6770ba3 gnupg-2.0.20-2.0.21.diff.bz2
|
||||
9ba9ee288e9bf813e0f1e25cbe06b58d3072d8b8 gnupg-2.0.22.tar.bz2
|
||||
6cc51b14ed652fe7eadae25ec7cdaa6f63377525 gnupg-2.0.21-2.0.22.diff.bz2
|
||||
|
||||
|
||||
Documentation
|
||||
|
@ -26,7 +26,7 @@ min_automake_version="1.10"
|
||||
# (git tag -s gnupg-2.n.m) and run "./autogen.sh --force". Please
|
||||
# bump the version number immediately *after* the release and do
|
||||
# another commit and push so that the git magic is able to work.
|
||||
m4_define([mym4_version], [2.0.22])
|
||||
m4_define([mym4_version], [2.0.23])
|
||||
|
||||
# Below is m4 magic to extract and compute the git revision number,
|
||||
# the decimalized short revision number, a beta version string and a
|
||||
|
Loading…
x
Reference in New Issue
Block a user