When looking at the changes towards the new 2.5.19 version of #GnuPG, there are many small things; like a way to use OCB for symmetric-only encryption, a few defect fixes and improvements.
Not that exciting, but maintenance of the well known #LibrePGP, OpenPGPv4 and CMS capable crypto engine.... you may want to know anyhow. ;)
https://lists.gnupg.org/pipermail/gnupg-announce/2026q2/000504.html
https://dev.gnupg.org/T7998
Dear GnuPG packagers and builders, please upgrade libgcrypt to v1.12.2 to remove a denial of service vulnerability (estimated CVSS 3.1: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H -- 7.5 (HIGH)) Releases of other stable versions of libgcrypt are available as well.
(GnuPG versions >= 2.5.7 are not affected due to the use of a different encryption API.)
See https://lists.gnupg.org/pipermail/gnupg-announce/2026q2/000503.html for details.
Details about the (ongoing) response to https://gpg.fail/ from GnuPG's side:
* https://www.gnupg.org/blog/20251226-cleartext-signatures.html
* https://dev.gnupg.org/T7906 Memory Corruption in ASCII-Armor Parsing
* https://dev.gnupg.org/T7900 (overview)
Please upgrade to GnuPG 2.5.16, 2.4.9 or #Gpg4win 5.0.0-beta479 which already have the fix for what (currently) is seen to be the only major defect: T7906.
(Researchers - Thanks! - found defects in GnuPG, Sequoia-PG, Minisign and age.)
#GnuPG v2.5.14 is here to try.
A no-brainer upgrade for those who use the 2.5 series already. You'd get some defects fixed and a new secret key export-import for the Post quantum cryptography (#PQC) algorithm "Kyber". RCF8332 for ssh is now supported.
For others: the 2.5 series is good for Windows 64 and PQC. #LibrePGP #OpenPGPv4 #EndtoEndCrypto
https://lists.gnupg.org/pipermail/gnupg-announce/2025q4/000499.html
@fdroidorg @Tutanota the original claim was protecting data and notification patterns. So that Google and Apple cannot see them. IMAPS and SMTPS is enough for this, only the network operators and the server operators can then see notifications and the data.
If you want to do more, a standardized #endtoendcrypto solution for email is a good next step. Coming with some work. Like using OpenPGPv4/MIME (or LibrePGP/MIME, S/MIME). That protects even against the server provider to some extend.
Back from the summer, #GnuPG 2.5.12 is now ready for production usage.
And this includes the post-quantum cryptography encryption (#PQC) support which is the main feature of the 2.5 series. (Okay, there is also better support for 64bit Windows.)
So give it a spin or point your favourite GNU/Linux distribution to it for packaging.
https://lists.gnupg.org/pipermail/gnupg-announce/2025q3/000497.html
#GnuPG's "public testing release series" has a new version 2.5.7.
https://lists.gnupg.org/pipermail/gnupg-announce/2025q2/000493.html
Remember:
* It is for you, if you want to test the new
post-quantum cryptography (PQC) features
or the 64 Bit Windows support.
* The series features Kyber (FIPS-203) as PQC encryption algorithm.
A new Gpg4win 5 Beta is forthcoming in the next days.
Technical details: https://dev.gnupg.org/T7671
If you are using the PDF viewer #Okular_from #Gpg4win, please upgrade to version 4.4.1 as this version fixes a severe vulnerability in the freetype library.
https://www.gpg4win.org/download.html
Vulnerability details:
https://euvd.enisa.europa.eu/enisa/EUVD-2025-6367 🛡️
There are other good things in Gpg4win 4.4.1, for example
* improvements in the Outlook Add-in (GpgOL)
* a better Kleopatra
* GnuPG upgraded to v2.4.8
GnuPG
Bernhard E. Reiter