#12248: gnupg-2.2.17 -------------------------+----------------------- Reporter: ken@… | Owner: blfs-book Type: enhancement | Status: new Priority: high | Milestone: 9.0 Component: BOOK | Version: SVN Severity: normal | Keywords: -------------------------+----------------------- This mitigates the recent DOS from certificate-flooding the keyservers, CVE-2019-13050
See e.g. [https://access.redhat.com/articles/4264021] From that article, mitigations as per upstream: As per upstream: High-risk users should stop using the key server network immediately. Open ~/.gnupg/gpg.conf in a text editor. Ensure there is no line starting with key server. If there is, remove it. Open ~/.gnupg/dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it. - - - I'm unclear if we ought to be modifying our install (do we need to run dirmngr as a daemon?) or our instructions for configuring it - I don't have any ~/.gnupg/dirmngr.conf Noteworthy changes in version 2.2.17 ==================================== * gpg: Ignore all key-signatures received from keyservers. This change is required to mitigate a DoS due to keys flooded with faked key-signatures. The old behaviour can be achieved by adding keyserver-options no-self-sigs-only,no-import-clean to your gpg.conf. [#4607] * gpg: If an imported keyblocks is too large to be stored in the keybox (pubring.kbx) do not error out but fallback to an import using the options "self-sigs-only,import-clean". [#4591] * gpg: New command --locate-external-key which can be used to refresh keys from the Web Key Directory or via other methods configured with --auto-key-locate. * gpg: New import option "self-sigs-only". * gpg: In --auto-key-retrieve prefer WKD over keyservers. [#4595] * dirmngr: Support the "openpgpkey" subdomain feature from draft-koch-openpgp-webkey-service-07. [#4590]. * dirmngr: Add an exception for the "openpgpkey" subdomain to the CSRF protection. [#4603] * dirmngr: Fix endless loop due to http errors 503 and 504. [#4600] * dirmngr: Fix TLS bug during redirection of HKP requests. [#4566] * gpgconf: Fix a race condition when killing components. [#4577] Release-info: https://dev.gnupg.org/T4606 -- Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/12248> BLFS Trac <http://wiki.linuxfromscratch.org/blfs> Beyond Linux From Scratch -- http://lists.linuxfromscratch.org/listinfo/blfs-book FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page