Your message dated Sat, 21 Feb 2026 16:05:00 +0000
with message-id <[email protected]>
and subject line Bug#1126631: fixed in gnupg2 2.4.9-2
has caused the Debian Bug report #1126631,
regarding gnupg2: CVE-2026-24882
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126631: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126631
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: gnupg2
Version: 2.4.8-5
Severity: important
Tags: security upstream
Forwarded: https://dev.gnupg.org/T8045
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for gnupg2.
CVE-2026-24882[0]:
| In GnuPG before 2.5.17, a stack-based buffer overflow exists in
| tpm2daemon during handling of the PKDECRYPT command for TPM-backed
| RSA and ECC keys.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-24882
https://www.cve.org/CVERecord?id=CVE-2026-24882
[1] https://dev.gnupg.org/T8045
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gnupg2
Source-Version: 2.4.9-2
Done: Andreas Metzler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <[email protected]> (supplier of updated gnupg2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 21 Feb 2026 15:27:53 +0100
Source: gnupg2
Architecture: source
Version: 2.4.9-2
Distribution: experimental
Urgency: low
Maintainer: Debian GnuPG Maintainers <[email protected]>
Changed-By: Andreas Metzler <[email protected]>
Closes: 1126259 1126631
Changes:
gnupg2 (2.4.9-2) experimental; urgency=low
.
[ Andreas Metzler ]
* Update gpg.fail Debian status info.
* Highlight/exclude minisign issues.
* Add accelerator keys for "Wrong" and "Correct".
Patch from uostream GIT master. (Closes: #1126259)
* Fix stack-based buffer overflow in tpm2daemon. CVE-2026-24882 Patches
(bugfix and regression) from upstream GIT master. (Closes: #1126631)
.
[ Luca Boccassi ]
* dirmngr: drop unused adduser dependency.
None of the adduser binaries are used anymore, drop the dependency.
The postinst that used it was removed shortly after it was
introduced, by commit 279bf10f4e0ccf238710a0f9881e79f16420bcb4
Checksums-Sha1:
88a11d2a4086cf6bc95f4efbbf43626e464aee09 5453 gnupg2_2.4.9-2.dsc
6bae7626c2d74d460ac06cf1d13ce7efaf558b61 103428 gnupg2_2.4.9-2.debian.tar.xz
Checksums-Sha256:
dd5684de602808ff5e8cdf9a4ed97c7e9701f9078777d9ccb171de90a8ea4e9e 5453
gnupg2_2.4.9-2.dsc
56762cd573fa95972a154d93ff69013895c8a936ee8b8dec265a88c779b24b13 103428
gnupg2_2.4.9-2.debian.tar.xz
Files:
d65b8a83ff32a309428a0f9ba57bec26 5453 utils optional gnupg2_2.4.9-2.dsc
2b8de3949775052caeda3d07f342b0ba 103428 utils optional
gnupg2_2.4.9-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAmmZ02MACgkQpU8BhUOC
FIRU6g//RuBUp594CPjb8JB6CBHR31A27i/wUosxOL+JTi2Ufw5X5ZXBSgLBzF1+
vxXtFYQ1dWpZUYEwIkjFIFa+mgTncrZb7hqI/Syq7ulUyBvLBibx3xTG4B2XUlqN
krQFQhNMP4jEjtr1dCPsMuAwah/bap5TIB+nwqJ3XcgJ8MEzvSKmgIKyd8pglwOx
5hj2aOa5VrENYCwmK/wyVto0DED4mJKSgQuCvz9xIN0xvl4tamrGB9SENIjKNorG
faZ/2E+x2bKvQ7bqiuO08StSkcffGtaoWTkJAt8UhGamm3YaPNCTneKw1DavyS+g
asDXmuI0ziDrVTGQ5ORN+ORiPC6+yjmqOGUH3S61xOhGK0KkkuSkBuzek7moHrVd
QyqZIvhdVQKhYMfShxKl+50WcsjGF4l12aGpRG0pqYbmUv16eqOf6SAEmmORSoP7
Qi4Dl1KCuZInbeYkhrKG0YpOCPQSdlSOPzRZcPLpIMev0CCHCeSwWy4A6U7oTe4U
rkc8DMCJOYaGghbqtZC3YQGFBjD5/ZKuz5EuhMx+XiZQ/XUsDWaaGzfX+QzLbuPW
Ntldwf9fGz4Iwlx8XtkEL+bcV7XoQJwOYokoGqxvKuHg9M0yuLUEBB9ArfTs2XFv
C2wCBMkJQvNflXPBaN5AzFoQ8y2YKUq1mO2PMJ9tnemdE6pEvkI=
=CXmx
-----END PGP SIGNATURE-----
pgp1cEibLSaho.pgp
Description: PGP signature
--- End Message ---
