[blfs-book] [BLFS Trac] #12248: gnupg-2.2.17

Tue, 09 Jul 2019 16:51:14 -0700 

#12248: gnupg-2.2.17
-------------------------+-----------------------
 Reporter:  ken@…        |      Owner:  blfs-book
     Type:  enhancement  |     Status:  new
 Priority:  high         |  Milestone:  9.0
Component:  BOOK         |    Version:  SVN
 Severity:  normal       |   Keywords:
-------------------------+-----------------------
 This mitigates the recent DOS from certificate-flooding the keyservers,
 CVE-2019-13050

 See e.g. [https://access.redhat.com/articles/4264021]

 From that article, mitigations as per upstream:

 As per upstream: High-risk users should stop using the key server network
 immediately.

 Open ~/.gnupg/gpg.conf in a text editor. Ensure there is no line starting
 with key server. If there is, remove it.
 Open ~/.gnupg/dirmngr.conf in a text editor. Add the line keyserver
 hkps://keys.openpgp.org to the end of it.

  - - -
 I'm unclear if we ought to be modifying our install (do we need to run
 dirmngr as a daemon?) or our instructions for configuring it - I don't
 have any ~/.gnupg/dirmngr.conf



 Noteworthy changes in version 2.2.17
 ====================================

   * gpg: Ignore all key-signatures received from keyservers.  This
     change is required to mitigate a DoS due to keys flooded with
     faked key-signatures.  The old behaviour can be achieved by adding
       keyserver-options no-self-sigs-only,no-import-clean
     to your gpg.conf.  [#4607]

   * gpg: If an imported keyblocks is too large to be stored in the
     keybox (pubring.kbx) do not error out but fallback to an import
     using the options "self-sigs-only,import-clean".  [#4591]

   * gpg: New command --locate-external-key which can be used to
     refresh keys from the Web Key Directory or via other methods
     configured with --auto-key-locate.

   * gpg: New import option "self-sigs-only".

   * gpg: In --auto-key-retrieve prefer WKD over keyservers.  [#4595]

   * dirmngr: Support the "openpgpkey" subdomain feature from
     draft-koch-openpgp-webkey-service-07. [#4590].

   * dirmngr: Add an exception for the "openpgpkey" subdomain to the
     CSRF protection.  [#4603]

   * dirmngr: Fix endless loop due to http errors 503 and 504.  [#4600]

   * dirmngr: Fix TLS bug during redirection of HKP requests.  [#4566]

   * gpgconf: Fix a race condition when killing components.  [#4577]

   Release-info: https://dev.gnupg.org/T4606

--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/12248>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to