Re: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-22 Thread Branko Majic
On Mon, 11 Aug 2014 10:21:55 +0200 Werner Koch wrote: > On Sat, 9 Aug 2014 22:52, bra...@majic.rs said: > > > Skimming through the description, does it mean that users with OpenPGP > > cards should be impervious to this attack? Can the attack be used to > > leak symmetric keys during the GnuPG

Re: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-12 Thread Werner Koch
On Tue, 12 Aug 2014 22:42, r...@sixdemonbag.org said: > I would also add the Qt pinentry plugin to this. The native Win32 one > looks completely awful. If someone could point me at an API, I'd give Actually this was hack to use GnuPG on WindowsCE while we are waiting for the Qt guys to finish t

Re: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-12 Thread Robert J. Hansen
FWIW, I never use anything other than gnupg out of the installer. The file system tools have never worked for me, and some of them don't even work on 64 bit systems. That's not a criticism, I know how open source works. :) My point is simply that if you have limited resources in my opinion the h

Re: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-12 Thread Doug Barton
On 08/09/2014 01:49 AM, Werner Koch wrote: On Sat, 9 Aug 2014 01:24, p...@heypete.com said: The GPG4Win folks are gearing up for a new release this August. Excellent. I look forward to it. The problem with gpg4win is that it is hard to build in particular the KDE stuff can't be easily cros

Re: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-11 Thread Jerry
On Mon, 11 Aug 2014 11:21:32 +, KA IT User stated: > please remove us from the mailing list. We are not longer using GnuPG in > our company. Please try and follow the directions. List-Unsubscribe: ,

Re: AW: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-11 Thread Werner Koch
On Mon, 11 Aug 2014 13:21, e...@kommunalkredit.at said: > please remove us from the mailing list. We are not longer using GnuPG in our > company. What about visiting the URL shown as last line of each mail send through this mailing list? Or looking into the list mail headers? Shalom-Salam,

AW: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-11 Thread KA IT User
; info-...@gnu.org Betreff: [Announce] [security fix] Libgcrypt and GnuPG Hi! While evaluating the "Get Your Hands Off My Laptop" [1] paper I missed to describe [2] a software combination which has not been fixed and is thus vulnerable to the attack described by the paper. If you a

Re: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-11 Thread Werner Koch
Hi, [94 lines of full quote deleted - pretty please strip quote to what is needed. I nearly missed your question] On Sat, 9 Aug 2014 22:52, bra...@majic.rs said: > Skimming through the description, does it mean that users with OpenPGP > cards should be impervious to this attack? Can the attac

Re: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-09 Thread Branko Majic
On Fri, 08 Aug 2014 12:17:06 +0200 Werner Koch wrote: > Hi! > > While evaluating the "Get Your Hands Off My Laptop" [1] paper I missed > to describe [2] a software combination which has not been fixed and is > thus vulnerable to the attack described by the paper. If you are using > a GnuPG vers

Re: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-09 Thread Pete Stephenson
On Sat, Aug 9, 2014 at 10:49 AM, Werner Koch wrote: > On Sat, 9 Aug 2014 01:24, p...@heypete.com said: > >>> The GPG4Win folks are gearing up for a new release this August. >> >> Excellent. I look forward to it. > > The problem with gpg4win is that it is hard to build in particular the > KDE stuf

Re: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-09 Thread Werner Koch
On Sat, 9 Aug 2014 01:24, p...@heypete.com said: >> The GPG4Win folks are gearing up for a new release this August. > > Excellent. I look forward to it. The problem with gpg4win is that it is hard to build in particular the KDE stuff can't be easily cross compiled. It is quite some work to main

Re: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-08 Thread Pete Stephenson
On Fri, Aug 8, 2014 at 11:44 PM, Samir Nassar wrote: > On Friday, 2014-08-08 23:34:30 Pete Stephenson wrote: >> Does this vulnerability apply to gpg4win users? > > It should, since the issues the GnuPG update addresses come after the latest > release of GPG4Win. I assumed as such, but it's good

Re: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-08 Thread Samir Nassar
On Friday, 2014-08-08 23:34:30 Pete Stephenson wrote: > Does this vulnerability apply to gpg4win users? It should, since the issues the GnuPG update addresses come after the latest release of GPG4Win. > There's been no gpg4win updates since October of 2013 and there have > been several updates

Re: [Announce] [security fix] Libgcrypt and GnuPG

2014-08-08 Thread Pete Stephenson
On Fri, Aug 8, 2014 at 12:17 PM, Werner Koch wrote: > Hi! > > While evaluating the "Get Your Hands Off My Laptop" [1] paper I missed > to describe [2] a software combination which has not been fixed and is > thus vulnerable to the attack described by the paper. If you are using > a GnuPG version

[Announce] [security fix] Libgcrypt and GnuPG

2014-08-08 Thread Werner Koch
Hi! While evaluating the "Get Your Hands Off My Laptop" [1] paper I missed to describe [2] a software combination which has not been fixed and is thus vulnerable to the attack described by the paper. If you are using a GnuPG version with a *Libgcrypt version < 1.6.0*, it is possible to mount the