diff --git a/ChangeLog b/ChangeLog index 083b9afa4..cd9129cf0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2006-12-02 David Shaw + + * NEWS: Note the CVE for bug#728, --s2k-count, + --passphrase-repeat, and the OpenSSL exception. + 2006-11-29 Werner Koch Released 1.4.6rc1. diff --git a/NEWS b/NEWS index d043698d1..f9080bb48 100644 --- a/NEWS +++ b/NEWS @@ -2,9 +2,26 @@ Noteworthy changes in version 1.4.6 ------------------------------------------------ * Fixed a bug while decrypting certain compressed and encrypted - messages. See http://bugs.gnupg.org/537 . + messages. [bug#537] - * Fixed a buffer overflow in gpg2. [bug#728] + * Fixed a buffer overflow in gpg. [bug#728, CVE-2006-6169] + + * Added --s2k-count to set the number of times passphrase mangling + is repeated. The default is 65536 times. + + * Added --passphrase-repeat to set the number of times GPG will + prompt for a new passphrase to be repeated. This is useful to + help memorize a new passphrase. The default is 1 repetition. + + * Added a GPL license exception to the keyserver helper programs + gpgkeys_ldap, gpgkeys_curl, and gpgkeys_hkp, to clarify any + potential questions about the ability to distribute binaries + that link to the OpenSSL library. GnuPG does not link directly + to OpenSSL, but libcurl (used for HKP, HTTP, and FTP) and + OpenLDAP (used for LDAP) may. Note that this license exception + is considered a bug fix and is intended to forgive any + violations pertaining to this issue, including those that may + have occurred in the past. Noteworthy changes in version 1.4.5 (2006-08-01) @@ -24,7 +41,7 @@ Noteworthy changes in version 1.4.5 (2006-08-01) Noteworthy changes in version 1.4.4 (2006-06-25) ------------------------------------------------ - * User IDs are now capped at 2048 byte. This avoids a memory + * User IDs are now capped at 2048 bytes. This avoids a memory allocation attack (see CVE-2006-3082). * Added support for the SHA-224 hash. Like the SHA-384 hash, it