FWIW, the second listed commit is the right one. You should only look at the STABLE-STABLE-2-2 branch. master and that branch differ; in particular we do not have a cut-off date in master (to be 2.3).
Jan 8 2020
Nov 29 2019
I am currently investigating the issue known as CVE-2019-14855 for Debian's LTS version Debian 8 "Jessie" and even Debian 7 "Wheezy".
Nov 25 2019
Nov 24 2019
Nov 6 2019
That is due to the mitigation for CVE-2019-14855. I need to see how to find a more specific mitigation.
Oct 4 2019
See https://minerva.crocs.fi.muni.cz/ for a description of the timing attack.
Aug 29 2019
May 28 2019
May 13 2019
Apr 29 2019
|Request for key||Thu, 7 Jun 2018 11:48 +0200|
|Reply from us||Thu, 7 Jun 2018 19:05 +0200|
|Report date||Fri, 8 Jun 2018 09:14 +0200|
|Fix committed||Fri, 8 Jun 2018 11:09 +0200|
|Announcement and release||Fri, 8 Jun 2018 15:41 +0200|
Jun 14 2018
So what I remembered was 1 year and 1 month off the real EOL date.
Jun 13 2018
Here is our announcement: https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html
Informed Debian security team about our change of libgcrypt.
A new installer for GnuPG with Libgcrypt 1.8.3 is now available.
Releases are now available. Next task is to build a new GnuPG Windows installer.
1.8.3 and 1.7.10 are now released. Announcement will follow later the day.
Pushed fixes to the repository at 16:00+0900 (09:00+0200). It's 0700Z.
In master, it's
commit 9010d1576e278a4274ad3f4aa15776c28f6ba965 Author: NIIBE Yutaka <firstname.lastname@example.org> Date: Wed Jun 13 15:28:58 2018 +0900
1.8.3 has not yet been released and thus there is no NEWS entries and there can't be a 1.8.3 tag. You are right that the README still says 1.7. I'll fix that for 1.8.3. Why do you think maintenance of 1.7 stopped; the AUTHORS file and the new EOL statements on the download page say that we are going to maintain it until 2019-06-30.
Jun 12 2018
Publication is planned for the 13th, 1500Z
Jun 11 2018
I just noticed, that a tag for Libgcrypt 1.8.3 seems to be missing: https://dev.gnupg.org/source/libgcrypt/tags/LIBGCRYPT-1.8-BRANCH/
Jun 9 2018
Jun 8 2018
Unfortunately 2.2.8 does not build with older libgpg-error versions. Commit rG18274db32b5dea7fe8db67043a787578c975de4d should fix this.
2.2.8. with a fix has been released. Announcement
[Better use the gnupg tag. Specific versions end up on the workboard and there may only be one.]
@dkg can you please take this up with Debian and other distros? See the commit for a brief description.