On Fri, Aug 8, 2014 at 12:17 PM, Werner Koch <w...@gnupg.org> wrote: > Hi! > > While evaluating the "Get Your Hands Off My Laptop" [1] paper I missed > to describe [2] a software combination which has not been fixed and is > thus vulnerable to the attack described by the paper. If you are using > a GnuPG version with a *Libgcrypt version < 1.6.0*, it is possible to > mount the described side-channel attack on Elgamal encryption subkeys. > To check whether you are using a vulnerable Libgcrypt version, enter > > gpg2 --version > > on the command line; the second line of the output gives the Libgcrypt > version: > > gpg (GnuPG) 2.0.25 > libgcrypt 1.5.3 > > In this example Libgcrypt is vulnerable. If you see 1.6.0 or 1.6.1 you > are fine. GnuPG versions since 1.4.16 are not affected because they do > not use Libgcrypt.
Does this vulnerability apply to gpg4win users? There's been no gpg4win updates since October of 2013 and there have been several updates of GnuPG since then. I am somewhat concerned. Is there any information about when an update for Windows users might be released? Cheers! -Pete -- Pete Stephenson _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
