What's New in 2.0.22
====================
* Fixed possible infinite recursion in the compressed packet
parser. [CVE-2013-4402]
* Improved support for some card readers.
* Prepared building with the forthcoming Libgcrypt 1.6.
* Protect against rogue keyservers sending secret keys.
Impact of the security problem
==============================
Special crafted input data may be used to cause a denial of service
against GPG (GnuPG's OpenPGP part) and some other OpenPGP
implementations. All systems using GPG to process incoming data are
affected.
Taylor R. Campbell invented a neat trick to generate OpenPGP packages
to force GPG to recursively parse certain parts of OpenPGP messages ad
infinitum. As a workaround a tight "ulimit -v" setting may be used to
mitigate the problem. Sample input data to trigger this problem has
not yet been seen in the wild. Details of the attack will eventually
be published by its inventor.
A fixed release of the GnuPG 1.4 series has also been released.
An updated vesion of gpg4win will be released next week.
Signed-off-by: Jack Nagel <jacknagel@gmail.com>
We disable building the agent program and provide it as a separate
gpg-agent package so that gnupg 1.x can use it as well. However, gpg2
still tries to find the agent in its own keg if it isn't already
running; that is, if the user hasn't done something like
eval $(gpg-agent --daemon)
Using --with-agent-pgm, we can tell gpg2 to look in HOMEBREW_PREFIX/bin
for the agent instead.
Signed-off-by: Jack Nagel <jacknagel@gmail.com>
gnupg2 is designed coexist with gnupg 1.x. The formula contains a patch
to keep things like documentation and language data from conflicting
with gnupg 1.x by namespacing everything as 'gnupg2'.
gpg-agent is currently an external package in Homebrew, as it can also
be used with gnupg 1.x; so in the formula we disable building the agent
and declare a dependency on it instead.
Signed-off-by: Jack Nagel <jacknagel@gmail.com>
Jack Nagel
Adam Vandenberg
Matt Sicker
Mike Tigas
Travis Johnson