Huge Vulnerability in GPG
GPG is an open-source version of the PGP e-mail encryption protocol. Recently, a very serious vulnerability was discovered in the software: given a signed e-mail message, you can modify the message — specifically, you can prepend or append arbitrary data — without disturbing the signature verification.
It appears this bug has existed for years without anybody finding it.
Moral: Open source does not necessarily mean “fewer bugs.” I wrote about this back in 1999.
UPDATED TO ADD (3/13): This bug is fixed in Version 18.104.22.168. Users should upgrade immediately.