ANN: A new version (0.4.4) of python-gnupg has been released. It contains a security-related change - please update to this version

22 views

Skip to first unread message

Vinay Sajip

unread,

Jan 24, 2019, 4:55:17 AM1/24/19

to python-gnupg

What Changed?

=============

This is an enhancement and security-fix release, and all users are strongly

encouraged to upgrade.

Brief summary:

* Fixed #108: Changed how any return value from the on_data callable is

processed. In earlier versions, the return value was ignored. In this version,

if the return value is False, the data received from gpg is not

buffered. Otherwise (if the value is None or True, for example), the

data is buffered as normal. This functionality can be used to do your own

buffering, or to prevent buffering altogether.

The on_data callable is also called once with an empty byte-string to

signal the end of data from gpg.

* Fixed #97: Added an additional attribute check_fingerprint_collisions to

GPG instances, which defaults to False. It seems that gpg is happy

to have duplicate keys and fingerprints in a keyring, so we can't be too

strict. A user can set this attribute of an instance to True to trigger a

check for collisions.

* Fixed #111: With GnuPG 2.2.7 or later, provide the fingerprint of a signing

key for a failed signature verification, if available.

* Fixed #21: For verification where multiple signatures are involved, a

mapping of signature_ids to fingerprint, keyid, username, creation date,

creation timestamp and expiry timestamp is provided.

* Added a check to disallow certain control characters ('\r', '\n', NUL) in

passphrases. This fix mitigates against CVE-2019-6690.

This release [2] has been signed with my code signing key:

Vinay Sajip (CODE SIGNING KEY) <vinay_sajip at yahoo.co.uk>

Fingerprint: CA74 9061 914E AC13 8E66 EADB 9147 B477 339A 9B86

Recent changes to PyPI don't show the GPG signature with the download links.

An alternative download source where the signatures are available is the project's

own downloads page [4].

As always, your feedback is most welcome (especially bug reports [3],

patches and suggestions for improvement, or any other points via this group).

Enjoy!

Cheers

Vinay Sajip

Red Dove Consultants Ltd.

[1] https://bitbucket.org/vinay.sajip/python-gnupg

[2] https://pypi.python.org/pypi/python-gnupg/0.4.4

[3] https://bitbucket.org/vinay.sajip/python-gnupg/issues

[4] https://bitbucket.org/vinay.sajip/python-gnupg/downloads/

Reply all

Reply to author

Forward

0 new messages