From kevin at 8t8.us  Fri Jun  8 23:28:36 2018
From: kevin at 8t8.us (Kevin J. McCarthy)
Date: Sat, 9 Jun 2018 07:28:36 +0800
Subject: GnuPG CVE-2018-12020 and Mutt
Message-ID: <20180608232836.GD13188@qinghai.lan>

Hi Mutt Users,

GnuPG just released an important security fix involving injection into
the status-fd channel.  The details are at
<https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html>.

If you are using the suggested values in contrib/gpg.rc, it should NOT
be necessary to switch to using GPGME (despite what they said in their
email).

Specifically make sure you have "--no-verbose" in $pgp_decode_command,
$pgp_verify_command, and $pgp_decrypt_command.

There are a couple other (non-critical) issues Marcus Brinkmann found
and reported to Mutt.  They are mitigated by the new GnuPG release, and
by fixes in Mutt's stable branch.  I will release a new stable version
in the next couple weeks.

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.mutt.org/pipermail/mutt-announce/attachments/20180609/9c006563/attachment.asc>