On 19/08/14 21:52, Ludwig Hügelschäfer wrote: > Ack. They use the build system from homebrew. They update recipes from > time to time, but their releases normally go only with major Mac OS X > updates (e.g. 10.8 -> 10.9), as in last october with 2.0.22. Their > main target is the gpg-plugin for Apple mail, I think.
So apparently they're not too worried about the DoS fixed in 2.0.24. And libgcrypt 1.6.0, which succeeds a version vulnerable to "Get Your Hands Off My Laptop" if I'm not mistaken, was released in December. I'd hazard a guess that they ship a vulnerable 1.5.x version. So everybody: hands off the Mac! ;) I think that you should only build or fork software[1] when you're willing to provide the service of security fixes to your users, or clearly indicate this is out of your scope. Do they provide security support? I think the libgcrypt one might warrant a fix. A DoS is just annoying. Peter. [1] Especially security software -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
