Update Your GPG

If you use PGP, the free PGP replacement, then you need to update your software to v1.4.2.2 due to a huge security hole that allows injection of unsigned data. Tavis Ormandy discovered the problem and reported it to the developers.

In summary, "Signature verification of non-detached signatures may give a positive result but when extracting the signed data, this data may be prepended or appended with extra data not covered by the signature. Thus it is possible for an attacker to take any signed message and inject extra arbitrary data."

Read the technical nitty gritty here, and get the latest version here .


Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish