https://www.eff.org/deeplinks/2018/05/pgp-and-efail-frequently-asked-questio... https://efail.de/efail-attack-paper.pdf
Nasty year for security 2018 is turning out to be.
Newly announced flaw in PGP/GPG when used for email that lets remote hackers get copies of your encrypted emails (whether sender or recipient). Many (most?) email clients (MUAs) are not patched yet (but the Linux ones should be shortly).
The encryption itself isn't broken, it's the way email clients and their html parsers work that is being abused. For the hack to work you have to use a vulnerable email client that has builtin html support (most do, but mine doesn't, yay!) and the attacker has to intercept an encrypted email for/from you and then send it to you wrapped in some naughty html. Your email client then decrypts the email and the naughty html promptly sends a copy to the attacker via backchannels (getvars or similar in img tags hitting hacker servers).
To be clear, they can only use this hack to read emails they've already intercepted and tricked you into opening in your HTML MUA.
If you use GPG from the command line you're basically safe. It's still good encryption (with a caveat about integrity checks that won't affect most use cases). GPG used for package signing, etc, is still safe. GPG used for local file encryption is safe.
To be safe for email, update your MUA when it patches this, and ensure all your contacts you PGP/GPG with do the same. Unlike Spectre et al, this one is fairly easy to fix assuming most people do it in a reasonable amount of time (ya, I know).
Strangely, EFF recommends people phase our PGP/GPG email and have no real recommended drop-in replacement. I find this odd, as to me *some* emails being hackable certainly beats *all* emails being hackable (i.e. plaintext) which is basically what they are advocating.
Oh ya, this all could have been avoided if people stopped using HTML in emails and HTML-capable MUAs. <GRIN>