Serge Mister and Robert Zuccherato reports that the OpenPGP
protocol is vulnerable to a cryptographic attack when using
symmetric encryption in an automated way.
David Shaw reports about the impact:
This attack, while very significant from a cryptographic
point of view, is not generally effective in the real
world. To be specific, unless you have your OpenPGP
program set up as part of an automated system to accept
encrypted messages, decrypt them, and then provide a
response to the submitter, then this does not affect you
at all.
Note that the fix
in GnuPG does note completely
eliminate the potential problem:
These patches disable a portion of the OpenPGP protocol
that the attack is exploiting. This change should not be
user visible. With the patch in place, this attack will
not work using a public-key encrypted message. It will
still work using a passphrase-encrypted message.