|
|
Log in / Subscribe / Register

Note on the provided Debian packages

Note on the provided Debian packages

Posted Jan 27, 2026 19:02 UTC (Tue) by gwolf (subscriber, #14632)
Parent article: A critical GnuPG security update

The GnuPG announcement has a section on “Debian Packages”. Please note that GnuPG is packaged _in_ Debian, but the Debian maintainers have chosen not to package the 2.5 branch of GnuPG. If you download the package following the instructions this announcement includes, you will switch away from a standards-abiding OpenPGP implementation to one that will surely cause interoperability problems, due to the GnuPG author's decision to steer away from the OpenPGP standard and fork into what they call “LibrePGP”.

to post comments

Note on the provided Debian packages

Posted Jan 27, 2026 19:13 UTC (Tue) by NYKevin (subscriber, #129325) [Link] (4 responses)

Since Debian chooses not to package 2.5, is it safe to assume that Debian users (who are using the Debian-provided packages) are not affected?

Note on the provided Debian packages

Posted Jan 27, 2026 19:23 UTC (Tue) by gwolf (subscriber, #14632) [Link] (1 responses)

The Debian Package Tracker ( https://tracker.debian.org/pkg/gnupg2 ) mentions CVE-2025-68972 affects the version of GnuPG currently in unstable and testing (Sid and Forky). This CVE has been dealt with in the version in the stable (13, Trixie) release ( https://tracker.debian.org/news/1703011/accepted-gnupg2-2... ), and backported to oldstable (12, Bookworm) and oldoldstable (11, Buster).

Note on the provided Debian packages

Posted Jan 28, 2026 9:35 UTC (Wed) by cortana (subscriber, #24596) [Link]

The security bug tracker is a bit better for tracking CVEs and the Debian releases that contain vulnerable/fixed packages:

https://security-tracker.debian.org/tracker/source-packag...

Note on the provided Debian packages

Posted Jan 27, 2026 19:26 UTC (Tue) by gwolf (subscriber, #14632) [Link] (1 responses)

Oh, but silly me — the article addresses a bug for which “a CVE-id has not been assigned.” So my answer is misguided, sorry for the noise!
Anyway, the list of versions affected by this issue are all within the 2.5.x series, so... No, the packages in Debian should not be affected, AFAICT.

Note on the provided Debian packages

Posted Jan 29, 2026 13:45 UTC (Thu) by santiago (subscriber, #105758) [Link]

FTR and posterity: this issue is CVE-2026-24881.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds