This bug was fixed in the package gnupg2 - 2.4.9-4ubuntu1
---------------
gnupg2 (2.4.9-4ubuntu1) stonking; urgency=medium
* Merge with Debian unstable (LP: #2154019). Remaining changes:
- Honor http_proxy= environment variables by default in the
systemd user session dirmngr service
- Don't build the gpgv-win32 package which only debian-installer
uses
- gnupg: Demote gnupg-l10n to Recommends
- Demote all Recommends: gnupg to Suggests
- Stop building gpg-wks-server, gpg-wks-client on i386
- Demote gpg-wks-client to Recommends
- gpg{,sm}: Recommend gpg-agent, dirmngr
- Disable swtpm, libtss2-dev build-dep on i386
* Drop Changes:
- CVE-2025-68973.patch: fix memory corruption in armor parser
[Fixed in 2.4.9-1]
- CVE-2026-24882.patch: fix stack-based buffer overflow in tpm2daemon
[Fixed in 2.4.9-2]
gnupg2 (2.4.9-4) unstable; urgency=medium
* Upload to unstable.
gnupg2 (2.4.9-3) experimental; urgency=medium
* Update to STABLE-BRANCH-2-4 HEAD.
* Add explicit build-dependency on libc-dev-bin. (Needed for future
versions of dh_builtusing.) See
https://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/2025-November/010393.html
gnupg2 (2.4.9-2) experimental; urgency=low
[ Andreas Metzler ]
* Update gpg.fail Debian status info.
* Highlight/exclude minisign issues.
* Add accelerator keys for "Wrong" and "Correct".
Patch from uostream GIT master. (Closes: #1126259)
* Fix stack-based buffer overflow in tpm2daemon. CVE-2026-24882 Patches
(bugfix and regression) from upstream GIT master. (Closes: #1126631)
[ Luca Boccassi ]
* dirmngr: drop unused adduser dependency.
None of the adduser binaries are used anymore, drop the dependency.
The postinst that used it was removed shortly after it was
introduced, by commit 279bf10f4e0ccf238710a0f9881e79f16420bcb4
gnupg2 (2.4.9-1) experimental; urgency=medium
* new upstream release
* refresh patches, align with FreePG 2.4 series
gnupg2 (2.4.8-6) experimental; urgency=medium
* gpg: Do not use a default when asking for another output filename.
https://gpg.fail/filename #2
Unfuzzed patch from GIT master
* Write up gpg.fail status in debian/gpg.fail.md
* agent: Fix a memory leak.
Patch from STABLE-BRANCH-2-4
* Use CVE-2025-68973 patch from STABLE-BRANCH-2-4.
Replace backported patchset from master with the
newly available one on STABLE-BRANCH-2-4.
* Upload to experimental to avoid delaying propagation of -5 to trixie.
gnupg2 (2.4.8-5) unstable; urgency=high
[ Salvatore Bonaccorso ]
* common: Reformat some comments in iobuf.c
* gpg: Fix possible memory corruption in the armor parser (CVE-2025-68973)
(Closes: #1124221) https://gpg.fail/memcpy #5
[ Andreas Metzler ]
* Avoid potential downgrade to SHA1 in 3rd party key signatures.
https://gpg.fail/sha1 #12
Patch from STABLE-BRANCH-2-4
* gpg: Error out on unverified output for non-detached signatures.
https://gpg.fail/detached #1
Patch from STABLE-BRANCH-2-4
-- Varun Varma <[email protected]> Mon, 25 May 2026 18:37:47
-0400
** Changed in: gnupg2 (Ubuntu)
Status: In Progress => Fix Released
** CVE added: https://cve.org/CVERecord?id=CVE-2025-68973
** CVE added: https://cve.org/CVERecord?id=CVE-2026-24882
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2154019
Title:
Please merge 2.4.9-4 into stonking
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/2154019/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs