Libgcrypt vulnerability

After reading this article I was wondering is GPG4Win 3.1.15 affected? If so can we just copy over the updated file?

Hi Mark,

no Gpg4win 3.1.15 is fine (and not affected)
because it uses the libgcrypt version 1.8.7.


It contains GnuPG 2.2.27
(The file packages.current from the git tag “gpg4win-3.1.15” has the precise versions used for the build:
name gnupg-w32-2.2.27-20210111-bin.exe
file binary/gnupg-w32-2.2.27_20210111.exe
chk 5d89e239790822711eae2899467a764879d21440ab68e9413452fa96cedeba50
and GnuPG 2.2.27 was released before libgcrypt 1.9.0 (the vulnerable version).
It stilll needs the 1.8.x version of libgcrypt

You can see the used version in;a=blob;f=web/swdb.mac;h=785ca556a4649bbe81ba8e91cf156d620f65f036;hb=7da27041da50080720a58b4cbb2dc972a0e8481f

Best Regards,
ps.: The news article is very short and thus does not report on the detail that usually it takes a while until a new major version of a library is picked up and goes into production. As the fix was coming within a few days
and was in a library, we believe that the window of exposure was (fortunately) limited and did not affect many installations.