Skip to content

v4.2.0 - Security Release

Choose a tag to compare
@twiss twiss released this 05 Nov 14:10

This release fixes a number of security issues. Please upgrade to the latest version as soon as possible.

  • Fix Message Signature Bypass: Only accept text or binary signatures when verifying data
  • Don't trust information in unhashed subpackets
  • Respect "critical" flag in unrecognized signature subpackets
  • Strengthen default S2K algorithm configuration
  • Add and verify Primary Key Binding Signatures
  • Reject keys with a Designated Revoker, as third-party key revocation is not supported by OpenPGP.js

Other changes:

  • Remove bzip2 compression support (decompression is still supported) (#798)
  • Use Web Crypto for SHA hashing (#795)
  • Fix decryption with multiple passwords (#792)
  • Fix unhandled promise rejection when decrypting non-MDC message (#794)
  • Check that one-pass signatures match their corresponding signature (#793)
  • Don't return streams in openpgp.reformatKey() and openpgp.revokeKey()
  • Fix key lookup example in (#790)