After reading this article I was wondering is GPG4Win 3.1.15 affected? If so can we just copy over the updated file?
no Gpg4win 3.1.15 is fine (and not affected)
because it uses the libgcrypt version 1.8.7.
It contains GnuPG 2.2.27
(The file packages.current from the git tag “gpg4win-3.1.15” has the precise versions used for the build:
and GnuPG 2.2.27 was released before libgcrypt 1.9.0 (the vulnerable version).
It stilll needs the 1.8.x version of libgcrypt configure.ac:NEED_LIBGCRYPT_VERSION=1.8.0)
ps.: The news article is very short and thus does not report on the detail that usually it takes a while until a new major version of a library is picked up and goes into production. As the fix was coming within a few days
and was in a library, we believe that the window of exposure was (fortunately) limited and did not affect many installations.