[Gpg4win-users-en] When will the latest version of Gpg4win be patched with security fixes?
Andre Heinecke
aheinecke at intevation.de
Mon Aug 4 16:59:35 CEST 2014
Hi,
On Monday, August 04, 2014 - KW 32 09:54:00 PM Kosuke Kaizuka wrote:
> On Mon, 04 Aug 2014 11:57:35 +0800, Chris Marlow wrote:>
>
> >> GNU TLS is not GnuPG
> >
> > gpg4win does use gnutls libraries, doesn't it?
>
> Yes, Gpg4win includes gnutls as a TLS library.
>
> Gpg4win 2.2.1 includes gnutls 2.12.21! (released on November 2012)
> Current latest gnutls 2.12 branch is 2.12.23 (released on February
> 2013), and patches are available for GNUTLS-SA-2013-2, GNUTLS-SA-2014-1,
> GNUTLS-SA-2014-2,
I've update gpg4win accordingly.
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=commit;h=b45aa3eaa3fa433bc3368ea2ebdf26cff4d19a92
> but not available for GNUTLS-SA-2014-3.
I've taken the patch from the ubuntu gnutls package for GNUTLS-SA-2014-3
(CVE-2014-3466)
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=blob;f=patches/gnutls-2.12.23/05-cve-2014-3466.patch;h=58af165b2400c0d335777c78dd6e517455894e8e;hb=b45aa3eaa3fa433bc3368ea2ebdf26cff4d19a92
We are still making some new releases / ironing out some problems but you can
expect a binary release (at least a beta) soon.
Please let me know if I've missed a patch / vulnerability.
Best regards,
Andre
--
Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
More information about the Gpg4win-users-en
mailing list