Control: notfound -1 2.4.8-5 On Thu, Jan 29, 2026 at 11:09:18PM +0100, Salvatore Bonaccorso wrote: > Source: gnupg2 > Version: 2.4.8-5 > Severity: important > Tags: security upstream > Forwarded: https://dev.gnupg.org/T8049 > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > > Hi, > > The following vulnerability was published for gnupg2. > > CVE-2026-24883[0]: > | In GnuPG before 2.5.17, a long signature packet length causes > | parse_signature to return success with sig->data[] set to a NULL > | value, leading to a denial of service (application crash). > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2026-24883 > https://www.cve.org/CVERecord?id=CVE-2026-24883 > [1] https://dev.gnupg.org/T8049 > > Please adjust the affected versions in the BTS as needed.
This was actually only introduced in 2.5.3 according to the above upstream referenced issue. So not affecting any of our releases afaics. Regards, Salvatore
