GnuPG VS-Desktop 3.3.6

GnuPG VS-Desktop® version 3.3.6 is available since 2026-03-13. The previous version was 3.3.5.

Notes to Admins

An update to this version is recommended due to these security fixes:

  • A security bug in GpgOL has been fixed which could result in no warning shown to the user when a signed mail contained a not signed attachment after a signed one. (T8110)
  • The libpng component has been updated to version 1.6.55 to fix a security issue (CVE-2026-25646). This is only exploitable in our software if a mail is opened via Kleopatra.

New Features

Engine (GnuPG)

  • gpg: Autoload designated revoker key and ADSK when needed. (T7133)
  • gpg: New options –auto-key-upload and –no-auto-key-upload. (T7333),(rG30ef06a56a)
  • dirmngr: New LDAP keyserver flag "upload". (T7866)

GUI (Kleopatra):

  • New option to save CSR in PEM format (T8115)

Solved Bugs

Engine (GnuPG)

  • gpgsm: Skip the optional PKCS#12 PBES2 keyLength parameter to allow the import of newer German Telekom keys. (rG12bbfe3854)

Outlook Add-In (GgpOL)

  • Make sure to check all attachments. (T8110)
  • Disable autoencryptUntrusted setting in configuration. (T8090)

Other

  • A security bug in the supporting library libpng has been fixed. Now libpng 1.6.55 is included. This is only exploitable in our software if a mail is opened via Kleopatra. (CVE-2026-25646)

Versions of the Components

Component Version Remarks
GnuPG 2.2.53 T7960
Kleopatra 3.3.3  
GpgOL 2.7.2  
GpgEX 1.0.11  
Libgcrypt 1.8.12 T7887
Libksba 1.6.8 T7174

This page as PDF.

Unless otherwise noted, these web pages are: Copyright 2025 g10 Code GmbH. Verbatim copying and distribution is permitted in any medium, provided this notice is preserved. See the Legal Notice & Privacy Policy for details. This page was last changed on 2026-03-16.