[Gpg4win-users-en] When will the latest version of Gpg4win be patched with security fixes?
Kosuke Kaizuka
cai.0407 at gmail.com
Mon Aug 4 17:11:41 CEST 2014
On Mon, 04 Aug 2014 16:59:35 +0200, Andre Heinecke wrote:
> Hi,
>
> On Monday, August 04, 2014 - KW 32 09:54:00 PM Kosuke Kaizuka wrote:
>> On Mon, 04 Aug 2014 11:57:35 +0800, Chris Marlow wrote:>
>>
>>>> GNU TLS is not GnuPG
>>>
>>> gpg4win does use gnutls libraries, doesn't it?
>>
>> Yes, Gpg4win includes gnutls as a TLS library.
>>
>> Gpg4win 2.2.1 includes gnutls 2.12.21! (released on November 2012)
>> Current latest gnutls 2.12 branch is 2.12.23 (released on February
>> 2013), and patches are available for GNUTLS-SA-2013-2, GNUTLS-SA-2014-1,
>> GNUTLS-SA-2014-2,
>
> I've update gpg4win accordingly.
> http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=commit;h=b45aa3eaa3fa433bc3368ea2ebdf26cff4d19a92
>
> > but not available for GNUTLS-SA-2014-3.
>
> I've taken the patch from the ubuntu gnutls package for GNUTLS-SA-2014-3
> (CVE-2014-3466)
> http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=blob;f=patches/gnutls-2.12.23/05-cve-2014-3466.patch;h=58af165b2400c0d335777c78dd6e517455894e8e;hb=b45aa3eaa3fa433bc3368ea2ebdf26cff4d19a92
Thank you for quick response and commit (especially for patch for
GNUTLS-SA-2014-3).
> We are still making some new releases / ironing out some problems but you can
> expect a binary release (at least a beta) soon.
I'm looking forward to test new beta :)
--
Kosuke Kaizuka <cai.0407 at gmail.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20140805/d5347d48/attachment.sig>
More information about the Gpg4win-users-en
mailing list