Hi everyone,
I've prepared an upload for LTS to fix the following issues:
* Avoid infinite loop in incompressing garbled packets.
* Fix for CVE-2014-5270: side-channel attacks on Elgamal encryption
subkeys.
* Filter responses from keyservers to ensure that only keys that were
requested are actually imported.
As gnupg is a fairly important package, I'd appreciate it if a couple of
other people could give it a whirl. The packages are available from:
http://people.debian.org/~mpalmer/gnupg/
I've signed the .dsc and .changes with my Debian key, so you can verify that
they're legit. I've only got amd64 packages up there; if you're running
i386, I assume you know how to build your own.
I'm intending on uploading the package at 2014-09-13 0000 GMT (a little over
24 hours from the time I'm writing this message) unless I get some sort of
indication that the package is not behaving appropriately. So, if you do
find any regressions, or you can still reproduce any of the above issues
with the fixed packages, please let me know before then.
- Matt
Attachment:
signature.asc
Description: Digital signature