Your message dated Fri, 30 Jan 2026 18:50:41 +0100
with message-id <[email protected]>
and subject line Re: Bug#1126630: gnupg2: CVE-2026-24883
has caused the Debian Bug report #1126630,
regarding gnupg2: CVE-2026-24883
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126630: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126630
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: gnupg2
Version: 2.4.8-5
Severity: important
Tags: security upstream
Forwarded: https://dev.gnupg.org/T8049
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for gnupg2.
CVE-2026-24883[0]:
| In GnuPG before 2.5.17, a long signature packet length causes
| parse_signature to return success with sig->data[] set to a NULL
| value, leading to a denial of service (application crash).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-24883
https://www.cve.org/CVERecord?id=CVE-2026-24883
[1] https://dev.gnupg.org/T8049
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Control: notfound -1 2.4.8-5
On Thu, Jan 29, 2026 at 11:09:18PM +0100, Salvatore Bonaccorso wrote:
> Source: gnupg2
> Version: 2.4.8-5
> Severity: important
> Tags: security upstream
> Forwarded: https://dev.gnupg.org/T8049
> X-Debbugs-Cc: [email protected], Debian Security Team
> <[email protected]>
>
> Hi,
>
> The following vulnerability was published for gnupg2.
>
> CVE-2026-24883[0]:
> | In GnuPG before 2.5.17, a long signature packet length causes
> | parse_signature to return success with sig->data[] set to a NULL
> | value, leading to a denial of service (application crash).
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2026-24883
> https://www.cve.org/CVERecord?id=CVE-2026-24883
> [1] https://dev.gnupg.org/T8049
>
> Please adjust the affected versions in the BTS as needed.
This was actually only introduced in 2.5.3 according to the above
upstream referenced issue. So not affecting any of our releases
afaics.
Regards,
Salvatore
--- End Message ---
