diff --git a/misc/blog.gnupg.org/20221017-pepe-left-the-ksba.org b/misc/blog.gnupg.org/20221017-pepe-left-the-ksba.org
new file mode 100644
index 0000000..4c929b2
--- /dev/null
+++ b/misc/blog.gnupg.org/20221017-pepe-left-the-ksba.org
@@ -0,0 +1,155 @@
+#+STARTUP: showall
+#+OPTIONS: ^:{} num:nil toc:nil
+#+STARTUP: showall
+#+AUTHOR: g10 Code GmbH
+#+DATE: 2022-10-17
+#+TITLE: Security Advisory for Libksba/GnuPG (GnuPG-bug-id: 6230)
+
+#+html:
Security Advisory for Libksba / GnuPG
+
+** Integer Overflow in LibKSBA / GnuPG
+
+A severe bug has been found in [[https://gnupg.org/software/libksba/][Libksba]] , the library used by GnuPG for
+parsing the ASN.1 structures as used by S/MIME. The bug affects all
+versions of [[https://gnupg.org/software/libksba/][Libksba]] before 1.6.2 and may be used for remote code
+execution. *Updating this library is thus important*.
+
+*** Who is affected
+
+The major user of [[https://gnupg.org/software/libksba/][Libksba]] is /gpgsm/, the S/MIME cousin of /gpg/.
+There it is used to parse all kind of input data, in particular signed
+or encrypted data in files or in mails. Feeding a user with malicious
+data can thus be easily achieved.
+
+A second user of [[https://gnupg.org/software/libksba/][Libksba]] is /dirmngr/, which is responsible for loading
+and parsing Certificate Revocation Lists (CRLs) and for verifying
+certificates used by TLS (i.e. https connections). Mounting an attack
+is a bit more complex but can anyway be easily done using a rogue web
+server to serve a Web Key Directory, certificates, or CRLs.
+
+An exploit is not yet publicly known but very straightforward to create
+for experienced crooks.
+
+Affected to our knowledge are:
+
+- Most software using /Libksba/ versions up to 1.6.1
+
+- All /Gpg4win/ versions from version 2.0.0 up to 4.0.3
+
+- All /GnuPG VS-Desktop^{\reg}/ versions from 3.1.16 up to 3.1.24
+
+- All /GnuPG installers for Windows/ from version 2.3.0 up to 2.3.7
+
+- All /GnuPG LTS installers for Windows/ from version 2.1.0 up to 2.2.39
+
+
+*** How to fix
+
+If you are on a Unix or Linux system you should get the latest version
+of Libksba (1.6.2 or newer), build the software and install the new
+shared library. Restart any background processes (e.g. =gpgconf
+--kill all= for GnuPG). In the rare case that Libksba is statically
+linked remember to rebuild those binaries.
+
+If your are on Windows or if you use an AppImage of GnuPG VS-Desktop
+update to the latest version:
+
+- Gpgwin version 4.0.4 or newer
+- GnuPG VS-Desktop version 3.1.25 or newer (MSI or AppImage)
+- GnuPG installer for Windows version 2.3.8
+- GnuPG LTS installer for Windows version 2.2.40
+
+In case you are not yet ready to deploy a new version, please extract
+=libksba-8.dll= from the respective package and replace the
+original one by this one. This is sufficient to fix the security
+issue.
+
+
+*** How to check whether GnuPG has been fixed
+
+GnuPG is the most prominent user of Libksba and it is not immediately
+visible whether a fixed version of Libksba is used. To check this run:
+
+: gpgconf --show-versions
+
+and watch out for a line like
+
+: * KSBA 1.6.2 (xxxxx)
+
+If you see a version number of 1.6.2 or newer, you got the fix.
+
+*** CVE
+
+- GnuPG-bug-id :: 6230 (https://dev.gnupg.org/T6230)
+- CVE :: Not yet assigned.
+- CVSS :: 8.1: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+- Other-IDs :: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18927
+
+CVSS taken from the Trend Micro Zero Day Initiative report.
+
+
+** Technical background
+
+The task of Libksba is to parse and build ASN.1 objects as used by
+S/MIME, X.509, and CMS. The used encoding (BER, DER) is based on
+tag-length-value objects. The function /_ksba_ber_read_tl/ parses
+such data and returns the tag and associated information in this
+structure:
+
+#+begin_src C
+struct tag_info {
+ enum tag_class class;
+ int is_constructed;
+ unsigned long tag;
+ unsigned long length; /* Length part of the TLV */
+ int ndef; /* It is an indefinite length */
+ size_t nhdr; /* Number of bytes in the TL */
+ unsigned char buf[10]; /* Buffer for the TL */
+ const char *err_string;
+ int non_der;
+};
+#+end_src
+
+At several places we need to copy the objects to a local buffer. For
+example we copy OIDs to a statically encoded buffer for further
+processing:
+
+#+begin_src C
+ struct tag_info ti;
+ unsigned char tmpbuf[500]; /* for OID or algorithmIdentifier */
+ [...]
+ if (ti.nhdr + ti.length >= DIM(tmpbuf))
+ return gpg_error (GPG_ERR_TOO_LARGE);
+ memcpy (tmpbuf, ti.buf, ti.nhdr);
+ err = read_buffer (crl->reader, tmpbuf+ti.nhdr, ti.length);
+#+end_src
+
+It is obvious that the sum of the header length (although less than 10
+bytes) and the announced length of the value can easily wrap around
+and pass the check. The result is then an overflow of /tmpbuf/ with
+all the usual consequences. The code has been there for ages and it
+seems that the audits missed this because, well, there is some
+overflow check and a too brief check may have only noticed that the
+memcpy if fine.
+
+The fix for this is easy because we can check for an overflow right
+away in the parser. Thus /_ksba_ber_read_tl/ finally does this
+extra check:
+
+#+begin_src C
+ if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
+ {
+ ti->err_string = "header+length would overflow";
+ return gpg_error (GPG_ERR_EOVERFLOW);
+ }
+#+end_src
+
+
+*** Thanks
+
+This vulnerability was discovered by:\\
+Anonymous working with Trend Micro Zero Day Initiative
+
+The report was received on 2022-10-04, fix pushed 2022-10-05, new
+source code release 2002-10-07, binary releases and announcement on
+2022-10-17.