SUSE alert openSUSE-SU-2026:20029-1 (gpg2)
| From: | meissner@suse.com | |
| To: | security-announce@lists.opensuse.org | |
| Subject: | openSUSE-SU-2026:20029-1: important: Security update for gpg2 | |
| Date: | Thu, 15 Jan 2026 17:52:35 +0100 | |
| Message-ID: | <20260115165235.3D554FBA0@maintenance.suse.de> | |
| Archive-link: | Article |
openSUSE security update: security update for gpg2 ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20029-1 Rating: important References: * bsc#1255715 * bsc#1256244 * bsc#1256246 * bsc#1256390 Cross-References: * CVE-2025-68973 CVSS scores: * CVE-2025-68973 ( SUSE ): 8 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves one vulnerability and has 4 bug fixes can now be installed. Description: This update for gpg2 fixes the following issues: - CVE-2025-68973: out-of-bounds write when processing specially crafted input in the armor parser can lead to memory corruption (bsc#1255715). Other security fixes: - gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures (bsc#1256246). - gpg: Error out on unverified output for non-detached signatures (bsc#1256244). - gpg: Deprecate the option --not-dash-escaped (bsc#1256390). Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-138=1 Package List: - openSUSE Leap 16.0: dirmngr-2.5.5-160000.3.1 gpg2-2.5.5-160000.3.1 gpg2-lang-2.5.5-160000.3.1 gpg2-tpm-2.5.5-160000.3.1 References: * https://www.suse.com/security/cve/CVE-2025-68973.html