May 2023 - Announce - lists.sequoia-pgp.org

Sequoia sq: 0.30.1
by Neal H. Walfield 31 May '23

31 May '23

Hi everyone, I'm pleased to announce the release of version 0.30.1 of Sequoia sq, our general-purpose command-line tool for Sequoia PGP. I have published sequoia-sq on crates.io: https://crates.io/crates/sequoia-sq You can also fetch version 0.30.1 using the v0.30.1 tag: https://gitlab.com/sequoia-pgp/sequoia-sq/-/tags/v0.30.1 which I signed: $ git verify-tag v0.30.1 gpg: Signature made Wed May 31 10:58:07 2023 +02:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate] gpg: "Neal H. Walfield <neal(a)gnupg.org>" gpg: "Neal H. Walfield <neal(a)pep-project.org>" gpg: "Neal H. Walfield <neal(a)pep.foundation>" gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>" This release of sq was primarily motivated by the recently fixed, low-severity vulnerabilities in sequoia-openpgp, buffered-reader, and sequoia-autocrypt. More information is available here: https://lists.sequoia-pgp.org/hyperkitty/list/announce@lists.sequoia-pgp.or… https://lists.sequoia-pgp.org/hyperkitty/list/announce@lists.sequoia-pgp.or… All versions of sq are affected. We recommend upgrading to 0.30.1, or ensuring that the dependencies are up to date and recompiling: $ cd ../sequoia-sq $ cargo update -p sequoia-openpgp $ cargo update -p buffered-reader $ cargo update -p sequoia-autocrypt $ cargo build --release Neal on behalf of the whole Sequoia PGP team

1 0

nettle: 7.3.0
by Neal H. Walfield 22 May '23

22 May '23

Hi everyone, I'm pleased to announce the release of version 7.3.0 of the nettle crate. Justus published nettle on crates.io: https://crates.io/crates/nettle-rs You can also fetch version 7.3.0 using the v7.3.0 tag: https://gitlab.com/sequoia-pgp/nettle-rs/-/tags/v7.3.0 which he signed: $ git verify-tag v7.3.0 gpg: Signature made Tue May 16 12:30:14 2023 +02:00 gpg: using RSA key 256A4E55E4A72D97AD2468E788DC7E33385F791D gpg: Good signature from "Justus Winter <justus(a)sequoia-pgp.org>" [full] gpg: "<teythoon(a)uber.space>" gpg: "Justus Winter" gpg: "Justus Winter <justus(a)gnupg.org>" gpg: "Justus Winter <justus(a)pep.foundation>" gpg: "Justus Winter <justuswinter(a)gmx.de>" gpg: "Justus Winter <teythoon(a)avior.uberspace.de>" This adds support for OCB. Neal on behalf of the whole Sequoia PGP team

1 0

nettle-sys: 2.2.0
by Neal H. Walfield 22 May '23

22 May '23

Hi everyone, I'm pleased to announce the release of version 2.2.0 of the nettle-sys crate. Justus published nettle-sys on crates.io: https://crates.io/crates/nettle-sys You can also fetch version 2.2.0 using the v2.2.0 tag: https://gitlab.com/sequoia-pgp/nettle-sys/-/tags/v2.2.0 which he signed: $ git verify-tag v2.2.0 gpg: Signature made Tue May 16 10:47:23 2023 +02:00 gpg: using RSA key 256A4E55E4A72D97AD2468E788DC7E33385F791D gpg: Good signature from "Justus Winter <justus(a)sequoia-pgp.org>" [full] gpg: "<teythoon(a)uber.space>" gpg: "Justus Winter" gpg: "Justus Winter <justus(a)gnupg.org>" gpg: "Justus Winter <justus(a)pep.foundation>" gpg: "Justus Winter <justuswinter(a)gmx.de>" gpg: "Justus Winter <teythoon(a)avior.uberspace.de>" This adds support for OCB, which was added to Nettle version 3.9. And, it fixes a bug when statically linking. Neal on behalf of the whole Sequoia PGP team

1 0

Low-severity vulnerability, sequoia-autocrypt v0.25.1
by Neal H. Walfield 22 May '23

22 May '23

Hi everyone, sequoia-autocrypt contains a parser bug, which an attacker can exploit to cause the library to panic. sequoia-autocrypt incorrectly indexes a UTF-8 string using byte indices instead of grapheme cluster indices. This subtlety is discussed here: https://doc.rust-lang.org/book/ch08-02-strings.html#slicing-strings This bug can be exploited by an attacker to cause a program that uses an affected version of sequoia-autocrypt to crash. The attacker is not, however, able to read from or write to the process's address space. Consequently, we have classified this issues as low severity. The fix is: - autocrypt: Account for multi-byte characters when parsing a string. It was found by Alexander Kjäll (capitol) and patched by Neal H. Walfield. 0.25.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/c1894b180ef3fea4d066f1fad24… This issue is fixed in sequoia-autocrypt 0.25.1, which I published on crates.io: https://crates.io/crates/sequoia-autocrypt You can also fetch version 0.25.1 using the autocrypt/v0.25.1 tag: https://gitlab.com/sequoia-pgp/sequoia/-/tags/autocrypt%2Fv0.25.1 which I signed: $ git verify-tag autocrypt/v0.25.1 gpg: Signature made Mon May 22 11:15:33 2023 +02:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate] gpg: "Neal H. Walfield <neal(a)gnupg.org>" gpg: "Neal H. Walfield <neal(a)pep-project.org>" gpg: "Neal H. Walfield <neal(a)pep.foundation>" gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>" Neal on behalf of the whole Sequoia PGP team

1 0

Low-severity vulnerabilities, sequoia-openpgp v1.16.0, buffered-reader 1.2.0
by Neal H. Walfield 19 May '23

19 May '23

Hi everyone, sequoia-openpgp and buffered-reader contain several bugs, which an attacker can exploit to cause the libraries to panic. The bugs are all parsing errors. Attacker-controlled input can cause different parsers to access an array using an out-of-range array index. Because, Rust detects the use of out-of-range indices, and panics, these bugs can be exploited by an attacker to cause a program that uses an affected version of sequoia-openpgp or buffered-reader to crash, but they are not able to read from or write to the process's address space. Consequently, we have classified these issues as low severity. With one exception, the issues are all present in sequoia-openpgp and buffered-reader since their initial 1.0 releases. We recommend upgrading. The errors are: - buffered-reader: Fix returning partial reads ending in errors. Found independently by Justus Winter and kpcyrd, patched by Justus Winter. 1.2.0: https://gitlab.com/sequoia-pgp/sequoia/-/commit/f6307652fb2cbf4e0fbd3f897b1… 1.1.5: https://gitlab.com/sequoia-pgp/sequoia/-/commit/7507807dce6b87e7a1397a6414b… 1.0.2: https://gitlab.com/sequoia-pgp/sequoia/-/commit/4b02ccc1d1dcd5a105d4bb6fd32… - openpgp: Fix crash in the packet parser. Found independently by Paul Schaub (vanitasvitae) and Alexander Kjäll (capitol), patched by Justus Winter. 1.16.0: https://gitlab.com/sequoia-pgp/sequoia/-/commit/b9badbdd2e9bd996fa6afd8187f… 1.8.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/e6ea6cbe12598ec50a07af4bf19… 1.1.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/17e7c8c5f5960ea05b68cbbbc27… - openpgp: Fix a crash related to stray signatures. Found by Justus Winter, patched by Justus Winter. 1.16.0: https://gitlab.com/sequoia-pgp/sequoia/-/commit/cce50ad4f3645011b5f8b473f6e… 1.8.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/c6cc5f4bfb6bfb55def8bce4ffe… 1.1.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/789b0d0698d65b6372c563c36d7… - openpgp: Fix a crash in the Cleartext Signature Framework. This error was introduced in 1.11.0. Found by Justus Winter, patched by Justus Winter. 1.16.0: https://gitlab.com/sequoia-pgp/sequoia/-/commit/586bde682c0525175c03f9eb847… 1.8.1: Not impacted. 1.1.1: Not impacted. - openpgp: Fix a crash in the Cleartext Signature Framework. Found by Justus Winter, patched by Justus Winter. 1.16.0: https://gitlab.com/sequoia-pgp/sequoia/-/commit/c82beb9b30ec77b6edc291516bb… 1.8.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/976695ea2be6b6772b41adb72aa… 1.1.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/93b16c32e50b69962fef2380342… - openpgp: Fix mapping of synthetic packets. Found by Justus Winter, patched by Justus Winter. 1.16.0: https://gitlab.com/sequoia-pgp/sequoia/-/commit/b6388f0906315d2de7164bae36f… 1.8.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/da12da88fb9d27d11b0b347ab5a… 1.1.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/43532470f25d1df39f5ca704cd9… The backstory of these issues is that the first issue was found by Paul Schaub (vanitasvitae). Independently, Justus Winter, Alexander Kjäll (capitol), and kpcyrd fuzzed the sequoia-openpgp library, and discovered additional issues. The sequoia-openpgp related issues are fixed in sequoia-openpgp 1.16.0, which I published on crates.io: https://crates.io/crates/sequoia-openpgp You can also fetch version 1.16.0 using the openpgp/v1.16.0 tag: https://gitlab.com/sequoia-pgp/sequoia/-/tags/openpgp/v1.16.0 which I signed: $ git verify-tag openpgp/v1.16.0 gpg: Signature made Tue May 16 12:46:41 2023 +02:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate] gpg: "Neal H. Walfield <neal(a)gnupg.org>" gpg: "Neal H. Walfield <neal(a)pep-project.org>" gpg: "Neal H. Walfield <neal(a)pep.foundation>" gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>" I've backported these fixes to 1.1.0, which is the version that is shipped by Debian stable, and released it as version 1.1.1. I've published version 1.1.1 on crates.io, and you can fetch it using the openpgp/v1.1.1 tag: https://gitlab.com/sequoia-pgp/sequoia/-/tags/openpgp/v1.1.1 which I signed: $ git verify-tag openpgp/v1.1.1 gpg: Signature made Tue May 16 15:08:46 2023 +02:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate] gpg: "Neal H. Walfield <neal(a)gnupg.org>" gpg: "Neal H. Walfield <neal(a)pep-project.org>" gpg: "Neal H. Walfield <neal(a)pep.foundation>" gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>" I also backported these fixes to 1.8.0, which is the version that is in Debian Testing, and will go into the next version of Debian Stable. I released it as version 1.8.1 I've published version 1.8.1 on crates.io, and you can fetch it using the openpgp/v1.8.1 tag: https://gitlab.com/sequoia-pgp/sequoia/-/tags/openpgp/v1.8.1 which I signed: $ git verify-tag openpgp/v1.8.1 gpg: Signature made Wed May 17 10:19:35 2023 +02:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate] gpg: "Neal H. Walfield <neal(a)gnupg.org>" gpg: "Neal H. Walfield <neal(a)pep-project.org>" gpg: "Neal H. Walfield <neal(a)pep.foundation>" gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>" The buffered-reader related issue is fixed in buffered-reader 1.2.0, which I published on crates.io: https://crates.io/crates/buffered-reader You can also fetch version 1.2.0 using the buffered-reader/v1.2.0 tag: https://gitlab.com/sequoia-pgp/sequoia/-/tags/buffered-reader/v1.2.0 which I signed: $ git verify-tag buffered-reader/v1.2.0 gpg: Signature made Wed May 17 13:34:13 2023 +02:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate] gpg: "Neal H. Walfield <neal(a)gnupg.org>" gpg: "Neal H. Walfield <neal(a)pep-project.org>" gpg: "Neal H. Walfield <neal(a)pep.foundation>" gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>" I also backported these fixes to 1.0.1, which is the version that is in Debian Stable. I released it as version 1.0.2. I've published version 1.0.2 on crates.io, and you can fetch it using the buffered-reader/v1.0.2 tag: https://gitlab.com/sequoia-pgp/sequoia/-/tags/buffered-reader/v1.0.2 which I signed: $ git verify-tag buffered-reader/v1.0.2 gpg: Signature made Fri May 19 15:33:25 2023 +02:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate] gpg: "Neal H. Walfield <neal(a)gnupg.org>" gpg: "Neal H. Walfield <neal(a)pep-project.org>" gpg: "Neal H. Walfield <neal(a)pep.foundation>" gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>" I also backported these fixes to 1.1.4, which is the version that is in Debian Testing, and will go into the next version of Debian Stable. I released it as version 1.1.5. I've published version 1.1.5 on crates.io, and you can fetch it using the buffered-reader/v1.1.5 tag: https://gitlab.com/sequoia-pgp/sequoia/-/tags/buffered-reader/v1.1.5 which I signed: $ git verify-tag buffered-reader/v1.1.5 gpg: Signature made Fri May 19 14:26:17 2023 +02:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate] gpg: "Neal H. Walfield <neal(a)gnupg.org>" gpg: "Neal H. Walfield <neal(a)pep-project.org>" gpg: "Neal H. Walfield <neal(a)pep.foundation>" gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>" Neal on behalf of the whole Sequoia PGP team

1 0

Sequoia sq: 0.30.0
by Neal H. Walfield 08 May '23

08 May '23

Hi everyone, I'm pleased to announce the release of version 0.30.0 of Sequoia sq, our general-purpose command-line tool for Sequoia PGP. I have published sequoia-sq on crates.io: https://crates.io/crates/sequoia-sq You can also fetch version 0.30.0 using the v0.30.0 tag: https://gitlab.com/sequoia-pgp/sequoia-sq/-/tags/v0.30.0 which I signed: $ git verify-tag v0.30.0 gpg: Signature made Mon May 08 11:44:09 2023 +02:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate] gpg: "Neal H. Walfield <neal(a)gnupg.org>" gpg: "Neal H. Walfield <neal(a)pep-project.org>" gpg: "Neal H. Walfield <neal(a)pep.foundation>" gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>" This release of sq was primarily motivated by an issue with `cargo install sequoia-sq`. An indirect dependency released a new version of their crate with a semver incompatible change, but didn't adjust the version correctly. This release updates `sq`'s dependencies, which fixes this issue. Details are here: https://gitlab.com/sequoia-pgp/sequoia-sq/-/issues/2 `sq` now includes support for using pEp's certificate store. A pEp certificate store can be used by specifying `sq --pep-cert-store PATH` or setting the environment variable `PEP_CERT_STORE`. https://gitea.pep.foundation/pEp.foundation/pEpEngine This release also adds two improvements to `sq key adopt`. `sq key adopt` now honors `--time`, and the new `--expire` flag can be used to set the key's expiration time. Neal on behalf of the whole Sequoia PGP team

1 0

sha1collisiondetection v0.2.7
by Wiktor Kwapisiewicz 08 May '23

08 May '23

Hi everyone, I'm pleased to announce the release of version 0.2.7 of sha1collisiondetection, our low-level library that implements SHA-1, which also detects and foils known SHA-1 collision attacks. I have published sha1collisiondetection on crates.io: https://crates.io/crates/sha1collisiondetection You can also fetch version 0.2.7 using the v0.2.7 tag: https://gitlab.com/sequoia-pgp/sha1collisiondetection/-/tags/v0.2.7 which I signed: $ git verify-tag v0.2.7 gpg: Signature made Fri May 5 11:15:31 2023 CEST gpg: using EDDSA key E7E2B84A36457BEA3F43692DE68BE3B312FA33FC gpg: issuer "wiktor(a)metacode.biz" gpg: Good signature from "Wiktor Kwapisiewicz <wiktor(a)metacode.biz>" There is one significant change in this release: we fixed the code that incorrectly assumed that unaligned memory accesses are okay on x86 and x86_64 [0]. The nightly version of the Rust compiler started checking for this kind of issue recently [1][2] and because of that any code that transitively depended on sha1collisiondetection (e.g. crates using sequoia-openpgp) panicked when running tests. The underlying issue [3] was reported to us by Sosthene from Nitrokey as well as Kushal Das. Thank you! Wiktor on behalf of the whole Sequoia PGP team [0]: https://gitlab.com/sequoia-pgp/sha1collisiondetection/-/merge_requests/13 [1]: https://gitlab.com/sequoia-pgp/sha1collisiondetection/-/merge_requests/13 [2]: https://github.com/rust-lang/rust/pull/98112 [3]: https://gitlab.com/sequoia-pgp/sha1collisiondetection/-/issues/7

1 0

sequoia-openpgp v1.15.0
by Neal H. Walfield 05 May '23

05 May '23

Hi everyone, I'm pleased to announce the release of version 1.15.0 of sequoia-openpgp, our low-level OpenPGP library. I have published sequoia-openpgp on crates.io: https://crates.io/crates/sequoia-openpgp You can also fetch version 1.15.0 using the openpgp/v1.15.0 tag: https://gitlab.com/sequoia-pgp/sequoia/-/tags/openpgp/v1.15.0 which I signed: $ git verify-tag openpgp/v1.15.0 gpg: Signature made Fri May 05 16:57:20 2023 +02:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate] gpg: "Neal H. Walfield <neal(a)g10code.com>" gpg: "Neal H. Walfield <neal(a)gnupg.org>" gpg: "Neal H. Walfield <neal(a)pep-project.org>" gpg: "Neal H. Walfield <neal(a)pep.foundation>" gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>" There are two notable changes in this release: the Windows CNG, and the Rust Crypto backends have been updated to use their latest versions. When using the Rust Crypto backend, this increases sequoia-openpgp's MSRV to 1.65.0. Otherwise, sequoia-openpgp's MSRV remain 1.60.0. This release also includes a number of bug fixes and several performance improvements. Neal on behalf of the whole Sequoia PGP team

1 0

2024

2023

2022

2021

Announce May 2023