Kevin J. McCarthy
2018-06-08 23:28:36 UTC
Hi Mutt Users,
GnuPG just released an important security fix involving injection into
the status-fd channel. The details are at
<https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html>.
If you are using the suggested values in contrib/gpg.rc, it should NOT
be necessary to switch to using GPGME (despite what they said in their
email).
Specifically make sure you have "--no-verbose" in $pgp_decode_command,
$pgp_verify_command, and $pgp_decrypt_command.
There are a couple other (non-critical) issues Marcus Brinkmann found
and reported to Mutt. They are mitigated by the new GnuPG release, and
by fixes in Mutt's stable branch. I will release a new stable version
in the next couple weeks.
-Kevin
GnuPG just released an important security fix involving injection into
the status-fd channel. The details are at
<https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html>.
If you are using the suggested values in contrib/gpg.rc, it should NOT
be necessary to switch to using GPGME (despite what they said in their
email).
Specifically make sure you have "--no-verbose" in $pgp_decode_command,
$pgp_verify_command, and $pgp_decrypt_command.
There are a couple other (non-critical) issues Marcus Brinkmann found
and reported to Mutt. They are mitigated by the new GnuPG release, and
by fixes in Mutt's stable branch. I will release a new stable version
in the next couple weeks.
-Kevin