Summary ------- We are reporting CVE-2025-68972 affecting Ubuntu gnupg-related packages on arm64 in Ubuntu Jammy-based container images. This is currently blocking customer release (FedRAMP-related delivery gate). CVE --- - CVE: CVE-2025-68972 - Severity (scanner): Medium
Affected Environment -------------------- - Ubuntu release: jammy (22.04) - Architecture: arm64 - Affected packages: ubuntu:jammy:dirmngr ubuntu:jammy:gnupg ubuntu:jammy:gnupg-l10n ubuntu:jammy:gnupg-utils ubuntu:jammy:gpg ubuntu:jammy:gpg-agent ubuntu:jammy:gpg-wks-client ubuntu:jammy:gpg-wks-server ubuntu:jammy:gpgconf ubuntu:jammy:gpgsm ubuntu:jammy:gpgv - Occurrences: 77 - Components impacted: 11 - Source files impacted: 7 Business Impact --------------- - This CVE currently blocks customer image acceptance/release. - Compliance impact: FedRAMP customer gating on unresolved vulnerabilities. - We need Canonical guidance for remediation timeline. Request ------- Please provide one of: 1) Fix ETA / USN for jammy arm64 package update, or 2) Official status/rationale (not-affected / deferred / ignored) with technical justification. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2137220 Title: CVE-2025-68973 and CVE-2025-68972 in Ubuntu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/2137220/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
