Home → Stable →

CVE-2012-6085 vulnerability

• Edit

Andy

09 Jan, 2013 09:45 PM

Will there be a release that fixes CVE-2012-6085 soon? It is a critical keyring and memory corruption bug.

http://seclists.org/bugtraq/2012/Dec/151

GPG 1.* can be fixed by upgrading to GnuPG 1.4.13 or applying this patch: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=patch;h=f795a...

GPG 2.* can be fixed by using the latest version in git or applying this patch: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=patch;h=49888...

http://www.debian.org/security/2013/dsa-2601
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6085

1. Support Staff 1 Posted by Luke Le on 09 Jan, 2013 11:45 PM

   

   Hi Andy,

   if everything goes as planned we'll release a nightly build with the patch applied tomorrow or the day after, and after a short testing period an official one.

   Since we will probably get rid of gpg 1.x, I'm not sure we'll update that, but will have to discuss it first.

   P.S.: Are there plans to make Stripe available for europan vendors anytime soon? Can't wait to get rid of effin Paypal

   • Edit

2. 2 Posted by Andy on 10 Jan, 2013 12:09 AM

   

   Glad to hear it. Is there somewhere I can sign up to be notified of new releases?

   Yep, we're actively working on an EU launch, but we don't have any public timeline yet. I assume you've seen https://stripe.com/global.

   • Edit

3. Support Staff 3 Posted by Luke Le on 10 Jan, 2013 12:13 AM

   

   Currently it's best to follow our Twitter account https://twitter.com/GPGTools
   We've used mailinglists in the past but due to inactivity felt that was no longer a good medium.

   @Stripe: Hehe, yeah, registered about a year ago or so.

   • Edit

4. Support Staff 4 Posted by Luke Le on 10 Jan, 2013 11:56 PM

   

   Hi Andy,

   as promised, there's a nightly version now which has the patch included.
   You can download it from https://nightly.gpgtools.org

   If the date of the .dmg doesn't say 10th of January, our cache is not yet renewed. In that case, please use curl to download the dmg with:

   curl --insecure -O -v -H "Cache-Control: no-cache" -H "Pragma: no-cache" https://nightly.gpgtools.org/GPGTools_Installer-latest.dmg
   

   • Edit

5. 5 Posted by Andy on 15 Jan, 2013 10:32 PM

   

   Great, thanks a lot. Any sense of when a new full release will happen?

   • Edit

6. Support Staff 6 Posted by Steve on 18 Jan, 2013 04:54 PM

   

   Not really. We are aware that this is getting late. And we are at it. Sorry this is taking so long.

   • Edit

7. Steve closed this discussion on 31 Jan, 2013 03:10 PM.