Mailing List Archive

Maintenance release for GnuPG 1.2.x

I am pleased to announce a security update to the 1.2 series of
GnuPG: Version 1.2.8.

The 1.2.x series has reached end of life status about 2 years ago.
However, I make an update available for the sake of those who can't
migrate to 1.4. There is no guarantee that all problems are solved in
1.2 - it is in general better to migrate to the activly maintained 1.4

You will find that version as well as corresponding signatures at the
usual place (

Noteworthy changes in version 1.2.8 (2006-12-07)

Backported security fixes. Note, that the 1.2.x series has
reached end of life status. You should migrate to 1.4.x.

* Fixed a serious and exploitable bug in processing encrypted
packages. [CVE-2006-6235].

* Fixed a buffer overflow in gpg. [bug#728, CVE-2006-6169]

* User IDs are now capped at 2048 bytes. This avoids a memory
allocation attack [CVE-2006-3082].

* Added countermeasures against the Mister/Zuccherato CFB attack

Happy Hacking,


Werner Koch <>
The GnuPG Experts
Join the Fellowship and protect your Freedom!