Forgot to add the release tag for 1.8.0, so doing it now:
add version 1.8.0, security fix openpgp.js
Date: Mon, 5 Oct 2015 09:39:17 +0200
From: thomas@mailvelope.com
To: list@openpgpjs.org
Subject: [openpgpjs] Critical vulnerability in S2KHello,
a vulnerability in the S2K function of OpenPGP.js allows to produce a
predictable session key without knowing the passphrase.An attacker is able to create a private PGP key that will decrypt in
OpenPGP.js regardless of the passphrase given.More critical: it is possible to forge a symmetrically encrypted PGP
message (Symmetric-Key Encrypted Session Key Packets (Tag 3)) that
will decrypt with any passphrase in OpenPGP.js. This can be an attack
vector if successful decryption of such a message is used as an
authentication mechanism.The bug is fixed with a strict check on unknown S2K types.
Credits for finding the bug go to Gijs Hollestelle and thanks to Jonas
Magazinius from Cure53 for reporting the problem.Please update to OpenPGP.js v1.3.0
Best,
Thomas
http://openpgpjs.org
Subscribe/unsubscribe: http://list.openpgpjs.org