Forum: help-enMonitor Forum | Start New Thread
|RE: Libgcrypt vulnerability [ Reply ]|
By: Bernhard Reiter on 2021-02-02 08:24
no Gpg4win 3.1.15 is fine (and not affected)
because it uses the libgcrypt version 1.8.7.
It contains GnuPG 2.2.27
(The file packages.current from the git tag "gpg4win-3.1.15" has the precise versions used for the build:
and GnuPG 2.2.27 was released before libgcrypt 1.9.0 (the vulnerable version).
It stilll needs the 1.8.x version of libgcrypt configure.ac:NEED_LIBGCRYPT_VERSION=1.8.0)
You can see the used version in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg-doc.git;a=blob;f=web/swdb.mac;h=785ca556a4649bbe81ba8e91cf156d620f65f036;hb=7da27041da50080720a58b4cbb2dc972a0e8481f
ps.: The news article is very short and thus does not report on the detail that usually it takes a while until a new major version of a library is picked up and goes into production. As the fix was coming within a few days
and was in a library, we believe that the window of exposure was (fortunately) limited and did not affect many installations.
|Libgcrypt vulnerability [ Reply ]|
By: Mark W on 2021-02-01 19:44
After reading this article I was wondering is GPG4Win 3.1.15 affected? If so can we just copy over the updated file?