Opened 19 months ago
Closed 18 months ago
#17193 closed enhancement (duplicate)
gnupg-2.3.8
| Reported by: | Owned by: | blfs-book | |
|---|---|---|---|
| Priority: | normal | Milestone: | 11.3 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description (last modified by )
Noted on lwn.net, this is primarily to fix CVE-2022-3515 in libksba, further details at https://gnupg.org/blog/20221017-pepe-left-the-ksba.html (can be used for remote code execution via malicious S/MIME data or by a rogue webserver. UPDATE: BLFS has libksba as a separate package and is already at 1.6.2, therefore this is not a vulnerability fix for BLFS.
Noteworthy changes in version 2.3.8 ===================================
- gpg: Do not consider unknown public keys as non-compliant while decrypting. [T6205]
- gpg: Avoid to emit a compliance mode line if Libgcrypt is non-compliant. [T6221]
- gpg: Improve --edit-key setpref command to ease c+p. [rG1908fa8b83]
- gpg: Emit an ERROR status if --quick-set-primary-uid fails and allow to pass the user ID by hash. [T6126]
- gpg: Actually show symmetric+pubkey encrypted data as de-vs compliant. Add extra compliance checks for symkey_enc packets. [T6119]
- gpg: In de-vs mode use SHA-256 instead of SHA-1 as implicit preference. [T6043]
- gpgsm: Fix reporting of bad passphrase error during PKCS#11 import. [T5713,T6037]
- agent: Fix a regression in "READKEY --format=ssh". [T6012]
- agent: New option --need-attr for KEYINFO. [rG989eae648c]
- agent: New attribute "Remote-list" for use by KEYINFO. [r1383aa4750]
- scd: Fix problem with Yubikey 5.4 firmware. [T6070]
- dirmngr: Fix CRL Distribution Point fallback to other schemes. [rG0c8299e2b5]
- dirmngr: New LDAP server flag "areconly" (A-record-only). [rGd65a0335e5]
- dirmngr: Fix upload of multiple keys for an LDAP server specified using the colon format. [rG536b5cd663]
- dirmngr: Use LDAP schema v2 when a Base DN is specified. [T6047]
- dirmngr: Avoid caching expired certificates. [T6142]
- wkd: Fix path traversal attack in gpg-wks-server. Add the mail address to the pending request data. [rG8a63a8c825,T6098]
- wkd: New command --mirror for gpg-wks-client. [T6224]
- gpg-auth: New tool for authentication. [T5862]
- New common.conf option no-autostart. [rG203dcc19eb]
- Silence warnings from AllowSetForegroundWindow unless GNUPG_EXEC_DEBUG_FLAGS is used. [rG4ef8516a79]
Release-info: https://dev.gnupg.org/T6106
Getting the Software ====================
Please follow the instructions found at <https://gnupg.org/download/> or read on:
GnuPG may be downloaded from one of the GnuPG mirror sites or direct from its primary FTP server. The list of mirrors can be found at <https://gnupg.org/download/mirrors.html>. Note that GnuPG is not available at ftp.gnu.org.
The GnuPG source code compressed using BZIP2 and its OpenPGP signature are available here:
https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.3.8.tar.bz2 (7465k) https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.3.8.tar.bz2.sig
Checking the Integrity ======================
In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways:
- If you already have a version of GnuPG installed, you can simply verify the supplied signature. For example to verify the signature of the file gnupg-2.3.8.tar.bz2 you would use this command:
gpg --verify gnupg-2.3.8.tar.bz2.sig gnupg-2.3.8.tar.bz2
This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by one or more of the release signing keys. Make sure that this is a valid key, either by matching the shown fingerprint against a trustworthy list of valid release signing keys or by checking that the key has been signed by trustworthy other keys. See the end of this mail for information on the signing keys.
- If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file gnupg-2.3.8.tar.bz2, you run the command like this:
sha1sum gnupg-2.3.8.tar.bz2
and check that the output matches the next line:
1f31b7b4c9c9adad97f94ea3acf1aa64c0424bcc gnupg-2.3.8.tar.bz2 014aa20eb1ac677736d0c2e056adc55304e12679 gnupg-w32-2.3.8_20221013.tar.xz 6cfabadbaf15a27988a11e811e9eabb20077b4ff gnupg-w32-2.3.8_20221013.exe
- -List of Release Signing Keys:
To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys:
rsa3072 2017-03-17 [expires: 2027-03-15] 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key)
ed25519 2020-08-24 [expires: 2030-06-30] 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020)
ed25519 2021-05-19 [expires: 2027-04-04] AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD Niibe Yutaka (GnuPG Release Key)
brainpoolP256r1 2021-10-15 [expires: 2029-12-31] 02F3 8DFF 731F F97C B039 A1DA 549E 695E 905B A208 GnuPG.com (Release Signing Key 2021)
Change History (2)
comment:1 by , 19 months ago
| Description: | modified (diff) |
|---|---|
| Owner: | changed from to |
| Priority: | elevated → normal |
| Status: | assigned → new |
Since we use separate libksba and are already at 1.6.2, for us this is not a vulnerability fix - relinquishing the ticket.