Your message dated Sat, 03 Jan 2026 00:02:50 +0000
with message-id <[email protected]>
and subject line Bug#1124221: fixed in gnupg2 2.2.40-1.1+deb12u2
has caused the Debian Bug report #1124221,
regarding gnupg2: CVE-2025-68973
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1124221: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124221
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: gnupg2
Version: 2.4.8-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 2.4.7-21
Control: found -1 2.2.40-1.1+deb12u1
Control: found -1 2.2.40-1.1
Hi,
The following vulnerability was published for gnupg2.
CVE-2025-68973[0]:
| In GnuPG through 2.4.8, armor_filter in g10/armor.c has two
| increments of an index variable where one is intended, leading to an
| out-of-bounds write for crafted input.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-68973
https://www.cve.org/CVERecord?id=CVE-2025-68973
[1] https://github.com/gpg/gnupg/commit/115d138ba599328005c5321c0ef9f00355838ca9
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gnupg2
Source-Version: 2.2.40-1.1+deb12u2
Done: Daniel Kahn Gillmor <[email protected]>
We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <[email protected]> (supplier of updated gnupg2
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 01 Jan 2026 15:54:00 +0100
Source: gnupg2
Architecture: source
Version: 2.2.40-1.1+deb12u2
Distribution: bookworm
Urgency: high
Maintainer: Debian GnuPG Maintainers <[email protected]>
Changed-By: Daniel Kahn Gillmor <[email protected]>
Closes: 1124221
Changes:
gnupg2 (2.2.40-1.1+deb12u2) bookworm; urgency=high
.
* Address four issues from https://gpg.fail, including:
+ Fix CVE-2025-68973 (Closes: #1124221)
+ Avoid potential downgrade to SHA1 in 3rd party key signatures.
+ Error out on unverified output for non-detached signatures.
+ Do not use a default when asking for another output filename.
* d/control: Point Vcs-Git to the correct branch
Checksums-Sha1:
99676c3caa7a43dd4f1973aee978edab13ad914e 3364 gnupg2_2.2.40-1.1+deb12u2.dsc
5c3d1476b85b7524d4786bcb0a3d5df4868f182a 67520
gnupg2_2.2.40-1.1+deb12u2.debian.tar.xz
a9c1e59e539c73ddccc1fa507101d8876cf93e0c 10865
gnupg2_2.2.40-1.1+deb12u2_source.buildinfo
Checksums-Sha256:
2424239219b00265dd99c5a2c5f9d50f9cafc15f0945946bb16ac1a50ec38310 3364
gnupg2_2.2.40-1.1+deb12u2.dsc
398ad74f63d81edd9365df97129d05061829599bf50e72824576e1dda23fbe62 67520
gnupg2_2.2.40-1.1+deb12u2.debian.tar.xz
b9128491f7134c6980c5eae377f09fea64a320feac85499f0c40b79d24679686 10865
gnupg2_2.2.40-1.1+deb12u2_source.buildinfo
Files:
f0e4aee80f735012d20932fa8a643f4c 3364 utils optional
gnupg2_2.2.40-1.1+deb12u2.dsc
4e8e142aa1cff332485efcf659b3495f 67520 utils optional
gnupg2_2.2.40-1.1+deb12u2.debian.tar.xz
ae362ebc709ca5af08c793a87634ef38 10865 utils optional
gnupg2_2.2.40-1.1+deb12u2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
wr0EARYKAG8FgmlX+d4JEHgLhU7ZwrSWRxQAAAAAAB4AIHNhbHRAbm90YXRpb25z
LnNlcXVvaWEtcGdwLm9yZxw6bKfLfkgRDrOc4jxYIGsiogA6T2r2mhmtAJ8lPdvK
FiEEY6wRjlsuXWbIioWneAuFTtnCtJYAAIL/AP9VnIse+8u2LGmSp6ZJdIUyTMIp
rlRBuFyLROMjucYlKgD/XSwTfqmRP1tZSIjyr8O2RCanDsKSG29ItOVrLFUIAw0=
=38xQ
-----END PGP SIGNATURE-----
pgpwOXZbqVvV5.pgp
Description: PGP signature
--- End Message ---
