From ${URL} : I found multiple vulnerabilities in GPG2. Could some CVE-ID(s) be assigned please. Patches were provided by multiple people. -- Double free in scd/command.c: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773471 Double free in sm/minip12.c: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773472 These two seem related in code: Return after free in sm/gpgsm.c: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773473 Return after free in dirmngr/ldapserver.c: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773523 Commit: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=ed8383c618e124cfa708c9ee87563fcdf2f4649c http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=b0b3803e8c2959dd67ca96debc54b5c6464f0d41 http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=abd5f6752d693b7f313c19604f0723ecec4d39a6 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Added: gnupg-2.0.26-r3 gnupg-2.1.1-r1 gnupg-2.0.26-r3 can be marked as stable.
I'd prefer to wait a bit to see if we get an upstream release instead of stabilizing specific revisions/patches for these particular issues.
(In reply to Kristian Fiskerstrand from comment #2) > I'd prefer to wait a bit to see if we get an upstream release instead of > stabilizing specific revisions/patches for these particular issues. no upstream yet, can we progress?
(In reply to Alon Bar-Lev from comment #3) > (In reply to Kristian Fiskerstrand from comment #2) > > I'd prefer to wait a bit to see if we get an upstream release instead of > > stabilizing specific revisions/patches for these particular issues. > > no upstream yet, can we progress? Yes. Arches, please stabilize =app-crypt/gnupg-2.0.26-r3 Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
amd64 stable
ppc64 stable
x86 done, thanks!
ppc stable
ia64 stable
arm stable
alpha stable
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches, Thank you for your work. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
Cleanup done: 16 Feb 2015; Kristian Fiskerstrand <k_f@gentoo.org> -gnupg-2.0.25.ebuild, -gnupg-2.0.26-r2.ebuild, -gnupg-2.0.26.ebuild: Cleanup for security bug 534110
This issue was resolved and addressed in GLSA 201606-04 at https://security.gentoo.org/glsa/201606-04 by GLSA coordinator Yury German (BlueKnight)