Subject: CVS commit: [pkgsrc-2006Q1] pkgsrc/security/gnupg
To: None <>
From: Soren Jacobsen <>
List: pkgsrc-changes
Date: 06/25/2006 08:58:14
Module Name:	pkgsrc
Committed By:	snj
Date:		Sun Jun 25 08:58:14 UTC 2006

Modified Files:
	pkgsrc/security/gnupg [pkgsrc-2006Q1]: Makefile PLIST distinfo
	pkgsrc/security/gnupg/patches [pkgsrc-2006Q1]: patch-aa patch-ak
Added Files:
	pkgsrc/security/gnupg/patches [pkgsrc-2006Q1]: patch-ba

Log Message:
Pullup ticket 1709 - requested by salo
security update for gnupg

Revisions pulled up:
- pkgsrc/security/gnupg/Makefile		1.83, 1.86
- pkgsrc/security/gnupg/PLIST			1.16
- pkgsrc/security/gnupg/distinfo		1.39, 1.40
- pkgsrc/security/gnupg/		1.6, 1.7
- pkgsrc/security/gnupg/patches/patch-aa	1.11
- pkgsrc/security/gnupg/patches/patch-ak	1.3
- pkgsrc/security/gnupg/patches/patch-ba	1.1

   Module Name:    pkgsrc
   Committed By:   wiz
   Date:           Tue Apr  4 21:16:37 UTC 2006

   Modified Files:
           pkgsrc/security/gnupg: Makefile PLIST distinfo
           pkgsrc/security/gnupg/patches: patch-aa patch-ak

   Log Message:
   Update to 1.4.3:

   Noteworthy changes in version 1.4.3 (2006-04-03)

       * If available, cURL-based keyserver helpers are built that can
         retrieve keys using HKP or any protocol that cURL supports
         (HTTP, HTTPS, FTP, FTPS, etc).  If cURL is not available, HKP
         and HTTP are still supported using a built-in cURL emulator.  To
         force building the old pre-cURL keyserver helpers, use the
         configure option --enable-old-keyserver-helpers.  Note that none
         of this affects finger or LDAP support, which are unchanged.
         Note also that a future version of GnuPG will remove the old
         keyserver helpers altogether.

       * Implemented Public Key Association (PKA) signature verification.
         This uses special DNS records and notation data to associate a
         mail address with an OpenPGP key to prove that mail coming from
         that address is legitimate without the need for a full trust
         path to the signing key.

       * When exporting subkeys, those specified with a key ID or
         fingerpint and the '!' suffix are now merged into one keyblock.

       * Added "gpg-zip", a program to create encrypted archives that can
         interoperate with PGP Zip.

       * Added support for signing subkey cross-certification "back
         signatures".  Requiring cross-certification to be present is
         currently off by default, but will be changed to on by default
         in the future, once more keys use it.  A new "cross-certify"
         command in the --edit-key menu can be used to update signing
         subkeys to have cross-certification.

       * The key cleaning options for --import-options and
         --export-options have been further polished.  "import-clean" and
         "export-clean" replace the older
         import-clean-sigs/import-clean-uids and
         export-clean-sigs/export-clean-uids option pairs.

       * New "minimize" command in the --edit-key menu removes everything
         that can be removed from a key, rendering it as small as
         possible.  There are corresponding "export-minimal" and
         "import-minimal" commands for --export-options and

       * New --fetch-keys command to retrieve keys by specifying a URI.
         This allows direct key retrieval from a web page or other
         location that can be specified in a URI.  Available protocols
         are HTTP and finger, plus anything that cURL supplies, if built
         with cURL support.

       * Files containing several signed messages are not allowed any
         longer as there is no clean way to report the status of such
         files back to the caller.  To partly revert to the old behaviour
         the new option --allow-multisig-verification may be used.

       * The keyserver helpers can now handle keys in either ASCII armor
         or binary format.

       * New auto-key-locate option that takes an ordered list of methods
         to locate a key if it is not available at encryption time (-r or
         --recipient).  Possible methods include "cert" (use DNS CERT as
         per RFC2538bis, "pka" (use DNS PKA), "ldap" (consult the LDAP
         server for the domain in question), "keyserver" (use the
         currently defined keyserver), as well as arbitrary keyserver
         URIs that will be contacted for the key.

       * Able to retrieve keys using DNS CERT records as per RFC-2538bis
         (currently in draft):

   pkgsrc change:
   make architecture-specific options really architecture-specific.
   Module Name:    pkgsrc
   Committed By:   drochner
   Date:           Wed Apr  5 10:04:12 UTC 2006

   Modified Files:

   Log Message:
   --with-libcurl is on per default, so revert the logics
   (no functional change, just more effective because a compile check
   is skipped)
   Module Name:    pkgsrc
   Committed By:   salo
   Date:           Sat Jun 24 14:20:29 UTC 2006

   Modified Files:
           pkgsrc/security/gnupg: Makefile distinfo
   Added Files:
           pkgsrc/security/gnupg/patches: patch-ba

   Log Message:
   Security fix for CVE-2006-3082:

   "parse-packet.c in GnuPG (gpg) 1.4.3 and 1.9.20, and earlier versions,
    allows remote attackers to cause a denial of service (gpg crash) and
    possibly overwrite memory via a message packet with a large length,
    which could lead to an integer overflow, as demonstrated using the
    --no-armor option."

   Patch from GnuPG CVS repository.

To generate a diff of this commit:
cvs rdiff -r1.82 -r1.82.2.1 pkgsrc/security/gnupg/Makefile
cvs rdiff -r1.15 -r1.15.8.1 pkgsrc/security/gnupg/PLIST
cvs rdiff -r1.38 -r1.38.2.1 pkgsrc/security/gnupg/distinfo
cvs rdiff -r1.5 -r1.5.4.1 pkgsrc/security/gnupg/
cvs rdiff -r1.10 -r1.10.10.1 pkgsrc/security/gnupg/patches/patch-aa
cvs rdiff -r1.2 -r1.2.10.1 pkgsrc/security/gnupg/patches/patch-ak
cvs rdiff -r0 -r1.1.2.1 pkgsrc/security/gnupg/patches/patch-ba

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.