[Gpg4win-users-en] Security hole discovered with GnuPG

Sorin Srbu sorin.srbu at orgfarm.uu.se
Fri Dec 15 14:28:07 CET 2006

Werner Koch <mailto:wk at gnupg.org> wrote on Friday, December 15, 2006 2:14 PM:

>> A few days ago it was reported that GnuPG had a hole in it or something. I
>> don't know if a patch has been released yet, but when it does, will
>> Gpg4win be 
> You mean CVE-2006-6235?  This was the reason we release 1.0.8 more
> than a week ago.  There was also an announcement to the gpg4win
> announce list:

I believe it was. I must've subbed to this list just after the announce. 8-)

> (en) Fixed a serious and exploitable GnuPG bug in processing encrypted
>      packages. [CVE-2006-6235]
> (en) Fixed a buffer overflow occuring when using gpg in interactive
>      mode on the command line. [CVE-2006-6169]
> You better update gpg4win instead of using the standalong gnupg
> version.  It should work two but it has not tested.


I dowloaded the gpg4win-package (with GnuPg v1.4.6) just a few days before the
message was announced at our university. Wasn't sure v1.4.6 was the fixed
version or not.

Anyway, this is the version I have, so I'm probably fixed by having installed
GPG4win v1.0.8.


More information about the Gpg4win-users-en mailing list