3 files changed, 26 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index 7c1906696..12927ba06 100644
--- a/NEWS
+++ b/NEWS
@@ -1,9 +1,27 @@
 Noteworthy changes in version 2.2.17 (unreleased)
 -------------------------------------------------
 
+  * gpg: Ignore all key-signatures received from keyservers.  This
+    change is required to mitigate a DoS due to keys flooded with
+    faked key-signatures.  The old behaviour can be achieved by adding
+      keyserver-options no-self-sigs-only,no-import-clean
+    to your gpg.conf.  [#4607]
+
+  * gpg: If an imported keyblocks is too large to be stored in the
+    keybox (pubring.kbx) do not error out but fallback to an import
+    using the options "self-sigs-only,import-clean".  [#4591]
+
+  * gpg: New command --locate-external-key which can be used to
+    refresh keys from the Web Key Directory or via other methods
+    configured with --auto-key-locate.
+
+  * gpg: New import option "self-sigs-only".
+
   * dirmngr: Support the "openpgpkey" subdomain feature from
     draft-koch-openpgp-webkey-service-07. [#4590].
 
+  Release-info: https://dev.gnupg.org/T4606
+
 
 Noteworthy changes in version 2.2.16 (2019-05-28)
 -------------------------------------------------
diff --git a/doc/gpg.texi b/doc/gpg.texi
index 11193afdb..0d76db06b 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -1917,6 +1917,11 @@ are available for all keyserver types, some common options are:
 
 @end table
 
+The default list of options is: "self-sigs-only, import-clean,
+repair-keys, repair-pks-subkey-bug, export-attributes,
+honor-pka-record".
+
+
 @item --completes-needed @var{n}
 @opindex compliant-needed
 Number of completely trusted users to introduce a new
diff --git a/g10/gpg.c b/g10/gpg.c
index d57146bb4..2c784d491 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -2375,7 +2375,9 @@ main (int argc, char **argv)
     opt.import_options = IMPORT_REPAIR_KEYS;
     opt.export_options = EXPORT_ATTRIBUTES;
     opt.keyserver_options.import_options = (IMPORT_REPAIR_KEYS
-					    | IMPORT_REPAIR_PKS_SUBKEY_BUG);
+					    | IMPORT_REPAIR_PKS_SUBKEY_BUG
+                                            | IMPORT_SELF_SIGS_ONLY
+                                            | IMPORT_CLEAN);
     opt.keyserver_options.export_options = EXPORT_ATTRIBUTES;
     opt.keyserver_options.options = KEYSERVER_HONOR_PKA_RECORD;
     opt.verify_options = (LIST_SHOW_UID_VALIDITY