UbuntuUpdates.org

Package "gnupg"

Name: gnupg

Description:

GNU privacy guard - a free PGP replacement
Latest version: 2.2.19-3ubuntu2.5
Release: focal (20.04)
Level: security
Repository: main
Head package: gnupg2
Homepage: https://www.gnupg.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "gnupg"

All arch deb package
APT INSTALL

Other versions of "gnupg" in Focal

Repository Area Version
base main 2.2.19-3ubuntu2
updates main 2.2.19-3ubuntu2.5

Changelog

Version: 2.2.19-3ubuntu2.5 2025-07-07 19:07:05 UTC

  gnupg2 (2.2.19-3ubuntu2.5) focal-security; urgency=medium

  * debian/patches/fix-key-validity-regression-due-to-CVE-2025-
    30258.patch:
    - Fix a key validity regression following patches for CVE-2025-30258,
      causing trusted "certify-only" primary keys to be ignored when checking
      signature on user IDs and computing key validity. This regression makes
      imported keys signed by a trusted "certify-only" key have an unknown
      validity (LP: #2114775).

 -- dcpi <dcpi@u22vm> Thu, 26 Jun 2025 16:57:26 +0000
Source diff to previous version
2114775 Key validity not computed when key is certified by a trusted \
CVE-2025-30258 In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect us

Version: 2.2.19-3ubuntu2.4 2025-04-03 16:07:03 UTC

  gnupg2 (2.2.19-3ubuntu2.4) focal-security; urgency=medium

  * SECURITY UPDATE: verification DoS via crafted subkey data
    - debian/patches/CVE-2025-30258-1.patch: lookup key for merging/
      inserting only by primary key in g10/getkey.c, g10/import.c,
      g10/keydb.h.
    - debian/patches/CVE-2025-30258-2.patch: remove a signature check
      function wrapper in g10/mainproc.c, g10/packet.h, g10/sig-check.c.
    - debian/patches/CVE-2025-30258-3.patch: fix a verification DoS due to
      a malicious subkey in the keyring in g10/getkey.c, g10/keydb.h,
      g10/mainproc.c, g10/packet.h, g10/sig-check.c, g10/pkclist.c.
    - debian/patches/CVE-2025-30258-4.patch: fix regression for the recent
      malicious subkey DoS fix in g10/getkey.c, g10/packet.h.
    - debian/patches/CVE-2025-30258-5.patch: fix double free of internal
      data in g10/sig-check.c.
    - CVE-2025-30258

 -- Marc Deslauriers <email address hidden> Sat, 29 Mar 2025 12:35:54 -0400
Source diff to previous version
CVE-2025-30258 In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect us

Version: 2.2.19-3ubuntu2.2 2022-07-05 21:45:51 UTC

  gnupg2 (2.2.19-3ubuntu2.2) focal-security; urgency=medium

  * SECURITY UPDATE: signature forgery via injection into the status line
    - debian/patches/CVE-2022-34903.patch: Fix garbled status messages in
      NOTATION_DATA in g10/cpr.c.
    - CVE-2022-34903

 -- Marc Deslauriers <email address hidden> Mon, 04 Jul 2022 12:20:36 -0400
CVE-2022-34903 GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g.


About   -   Send Feedback to @ubuntu_updates