Thu, Dec 5
A workaround exists with the new option --ignore-crl-extensions.
Oct 29 2024
Jun 21 2024
Now also done for libksba.
Jun 20 2024
Feb 29 2024
Fixed in libksba 1.6.6.
Feb 23 2024
Feb 14 2024
@Jakuje, you are right. This is a plain error and we should do a new release to avoid false errors.
Thank you, applied.
Feb 13 2024
Feb 12 2024
Nov 16 2023
Nov 10 2023
Oct 18 2023
Oct 13 2023
And yes in gpgsm.conf both the extensions are also marked with ignore-cert-extension.
While remembering this I added to our standard.conf (and for testing first to my local conf):
Jun 22 2023
We had one request to support this back in 2017 but it was closed because the respective CA stopped using this extension. See T2039.
Jun 19 2023
rGb1ecc8353ae3 is just what I meant, so that we can recommend such an option in the future as a workaround until a new update becomes available which supports such an extension.
Nah, the description for that extension is pretty strict and I won't feel comfortable to just ignore it. BTW there is also T6398 (nameConstraints) which needs support. But for debugging a ignore extension makes sense.
For support reasons I would say that it might make sense to also ignore the extensions from "ignore-cert-extension" when checking CRLs?
Mar 2 2023
(my example cert is 0x09BB0EEE)
Dec 22 2022
This bug is CVE-2022-47629
Dec 20 2022
Dec 14 2022
Dec 6 2022
I guess we can close this one.
Nov 23 2022
Here is the patch which will go into the next release
From f61a5ea4e0f6a80fd4b28ef0174bee77793cf070 Mon Sep 17 00:00:00 2001 From: Werner Koch <wk@gnupg.org> Date: Tue, 22 Nov 2022 16:36:46 +0100 Subject: [PATCH] Fix an integer overflow in the CRL signature parser.
Nov 22 2022
Oct 18 2022
Oct 17 2022
Fixed Gpg4win version: https://lists.wald.intevation.org/pipermail/gpg4win-announce/2022/000098.html
As usual see https://gnupg.org/download for links to the latest packages. For Gpg4win see https://gpg4win.org