diff --git a/NEWS b/NEWS
index 656f91014..aed90e634 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,7 @@
+Noteworthy changes in version 2.0.24 (unreleased)
+-------------------------------------------------
+
+
Noteworthy changes in version 2.0.23 (2014-06-03)
-------------------------------------------------
diff --git a/announce.txt b/announce.txt
index 384f57505..63e959f06 100644
--- a/announce.txt
+++ b/announce.txt
@@ -5,9 +5,8 @@ Mail-Followup-To: gnupg-users@gnupg.org
Hello!
We are pleased to announce the availability of a new stable GnuPG-2
-release: Version 2.0.22. This is a *security fix* release and all
-users are advised to updated to this version. See below for the
-impact of the problem.
+release: Version 2.0.23. This is a maintenace release with a few
+new features.
The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication
and data storage. It can be used to encrypt data, create digital
@@ -31,35 +30,33 @@ GnuPG is distributed under the terms of the GNU General Public License
also available for other Unices, Microsoft Windows and Mac OS X.
-What's New in 2.0.22
+What's New in 2.0.23
====================
- * Fixed possible infinite recursion in the compressed packet
- parser. [CVE-2013-4402]
+ * gpg: Reject signatures made using the MD5 hash algorithm unless the
+ new option --allow-weak-digest-algos or --pgp2 are given.
- * Improved support for some card readers.
+ * gpg: Do not create a trustdb file if --trust-model=always is used.
- * Prepared building with the forthcoming Libgcrypt 1.6.
+ * gpg: Only the major version number is by default included in the
+ armored output.
- * Protect against rogue keyservers sending secret keys.
+ * gpg: Print a warning if the Gnome-Keyring-Daemon intercepts the
+ communication with the gpg-agent.
+ * gpg: The format of the fallback key listing ("gpg KEYFILE") is now more
+ aligned to the regular key listing ("gpg -k").
-Impact of the security problem
-==============================
+ * gpg: The option--show-session-key prints its output now before the
+ decryption of the bulk message starts.
-Special crafted input data may be used to cause a denial of service
-against GPG (GnuPG's OpenPGP part) and some other OpenPGP
-implementations. All systems using GPG to process incoming data are
-affected.
+ * gpg: New %U expando for the photo viewer.
-Taylor R Campbell invented a neat trick to generate OpenPGP packages
-to force GPG to recursively parse certain parts of OpenPGP messages ad
-infinitum. As a workaround a tight "ulimit -v" setting may be used to
-mitigate the problem. Sample input data to trigger this problem has
-not yet been seen in the wild. Details of the attack will eventually
-be published by its inventor.
+ * gpgsm: Improved handling of re-issued CA certificates.
-A fixed release of the GnuPG 1.4 series will be releases soon.
+ * scdaemon: Various fixes for pinpad equipped card readers.
+
+ * Minor bug fixes.
@@ -69,25 +66,26 @@ Getting the Software
Please follow the instructions found at http://www.gnupg.org/download/
or read on:
-GnuPG 2.0.22 may be downloaded from one of the GnuPG mirror sites or
+GnuPG 2.0.23 may be downloaded from one of the GnuPG mirror sites or
direct from ftp://ftp.gnupg.org/gcrypt/gnupg/ . The list of mirrors
-can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG
+can be found at http://www.gnupg.org/mirrors.html . Note that GnuPG
is not available at ftp.gnu.org.
On the FTP server and its mirrors you should find the following files
in the gnupg/ directory:
- gnupg-2.0.22.tar.bz2 (4200k)
- gnupg-2.0.22.tar.bz2.sig
+ gnupg-2.0.23.tar.bz2 (4196k)
+ gnupg-2.0.23.tar.bz2.sig
- GnuPG source compressed using BZIP2 and OpenPGP signature.
+ GnuPG source compressed using BZIP2 and its OpenPGP signature.
- gnupg-2.0.20-2.0.22.diff.bz2 (39k)
+ gnupg-2.0.22-2.0.23.diff.bz2 (53k)
- A patch file to upgrade a 2.0.20 GnuPG source tree. This patch
+ A patch file to upgrade a 2.0.22 GnuPG source tree. This patch
does not include updates of the language files.
Note, that we don't distribute gzip compressed tarballs for GnuPG-2.
+A Windows version will eventually be released at https://gpg4win.org .
Checking the Integrity
@@ -99,9 +97,9 @@ the following ways:
* If you already have a trusted version of GnuPG installed, you
can simply check the supplied signature. For example to check the
- signature of the file gnupg-2.0.22.tar.bz2 you would use this command:
+ signature of the file gnupg-2.0.23.tar.bz2 you would use this command:
- gpg --verify gnupg-2.0.22.tar.bz2.sig
+ gpg --verify gnupg-2.0.23.tar.bz2.sig
This checks whether the signature file matches the source file.
You should see a message indicating that the signature is good and
@@ -124,15 +122,15 @@ the following ways:
* If you are not able to use an old version of GnuPG, you have to verify
the SHA-1 checksum. Assuming you downloaded the file
- gnupg-2.0.22.tar.bz2, you would run the sha1sum command like this:
+ gnupg-2.0.23.tar.bz2, you would run the sha1sum command like this:
- sha1sum gnupg-2.0.22.tar.bz2
+ sha1sum gnupg-2.0.23.tar.bz2
and check that the output matches the first line from the
following list:
-9ba9ee288e9bf813e0f1e25cbe06b58d3072d8b8 gnupg-2.0.22.tar.bz2
-6cc51b14ed652fe7eadae25ec7cdaa6f63377525 gnupg-2.0.21-2.0.22.diff.bz2
+c90e47ab95a40dd070fd75faef0a05c7b679553b gnupg-2.0.23.tar.bz2
+e02cfab2bc046f9fac89eef098c34f58b5745d20 gnupg-2.0.22-2.0.23.diff.bz2
Documentation
@@ -143,11 +141,11 @@ Separate man pages are included as well; however they have not all the
details available in the manual. It is also possible to read the
complete manual online in HTML format at
- http://www.gnupg.org/documentation/manuals/gnupg/
+ https://www.gnupg.org/documentation/manuals/gnupg/
or in Portable Document Format at
- http://www.gnupg.org/documentation/manuals/gnupg.pdf .
+ https://www.gnupg.org/documentation/manuals/gnupg.pdf .
The chapters on gpg-agent, gpg and gpgsm include information on how
to set up the whole thing. You may also want search the GnuPG mailing
@@ -170,7 +168,7 @@ We suggest to send bug reports for a new release to this list in favor
of filing a bug at <http://bugs.gnupg.org>. We also have a dedicated
service directory at:
- http://www.gnupg.org/service.html
+ https://www.gnupg.org/service.html
The driving force behind the development of GnuPG is the company of
its principal author, Werner Koch. Maintenance and improvement of
@@ -178,7 +176,12 @@ GnuPG and related software takes up most of their resources. To allow
him to continue this work he kindly asks to either purchase a support
contract, engage g10 Code for custom enhancements, or to donate money:
- http://g10code.com/gnupg-donation.html
+Maintaining and improving GnuPG is costly. For more than a decade,
+g10 Code GmbH, a German company owned and headed by GnuPG's principal
+author Werner Koch, is bearing the majority of these costs. To help
+them carry on this work, they need your support. See
+
+ https://gnupg.org/donate/
Thanks
@@ -186,7 +189,7 @@ Thanks
We have to thank all the people who helped with this release, be it
testing, coding, translating, suggesting, auditing, administering the
-servers, spreading the word, or answering questions on the mailing
+servers, spreading the word, and answering questions on the mailing
lists.
diff --git a/configure.ac b/configure.ac
index ec7fae707..4ea6606cb 100644
--- a/configure.ac
+++ b/configure.ac
@@ -26,7 +26,7 @@ min_automake_version="1.10"
# (git tag -s gnupg-2.n.m) and run "./autogen.sh --force". Please
# bump the version number immediately *after* the release and do
# another commit and push so that the git magic is able to work.
-m4_define([mym4_version], [2.0.23])
+m4_define([mym4_version], [2.0.24])
# Below is m4 magic to extract and compute the git revision number,
# the decimalized short revision number, a beta version string and a