gnupg-2.2.17

[ken@…]

This mitigates the recent DOS from certificate-flooding the keyservers, CVE-2019-13050

See e.g. ​https://access.redhat.com/articles/4264021

From that article, mitigations as per upstream:

As per upstream: High-risk users should stop using the key server network immediately.

Open ~/.gnupg/gpg.conf in a text editor. Ensure there is no line starting with key server. If there is, remove it. Open ~/.gnupg/dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it.

• - -

I'm unclear if we ought to be modifying our install (do we need to run dirmngr as a daemon?) or our instructions for configuring it - I don't have any ~/.gnupg/dirmngr.conf

Noteworthy changes in version 2.2.17 ====================================

• gpg: Ignore all key-signatures received from keyservers. This change is required to mitigate a DoS due to keys flooded with faked key-signatures. The old behaviour can be achieved by adding

keyserver-options no-self-sigs-only,no-import-clean

to your gpg.conf. #4607

• gpg: If an imported keyblocks is too large to be stored in the keybox (pubring.kbx) do not error out but fallback to an import using the options "self-sigs-only,import-clean". #4591

• gpg: New command --locate-external-key which can be used to refresh keys from the Web Key Directory or via other methods configured with --auto-key-locate.

• gpg: New import option "self-sigs-only".

• gpg: In --auto-key-retrieve prefer WKD over keyservers. #4595

• dirmngr: Support the "openpgpkey" subdomain feature from draft-koch-openpgp-webkey-service-07. #4590.

• dirmngr: Add an exception for the "openpgpkey" subdomain to the CSRF protection. #4603

• dirmngr: Fix endless loop due to http errors 503 and 504. #4600

• dirmngr: Fix TLS bug during redirection of HKP requests. #4566

• gpgconf: Fix a race condition when killing components. #4577

Release-info: ​https://dev.gnupg.org/T4606

[Bruce Dubbs]

Fixed at revision 21825.