From announcement: We are pleased to announce the availability of a new stable GnuPG-1 release: Version 1.4.9. This is a maintenance release to fix a possible vulnerability introduced with 1.4.8. This bug is also present in 2.0.8 and was fixed with 2.0.9. Both 1.4.8 and 2.0.8 are ~arch only, so please do not move them to stable. A bump for ~arch would be required. Upstream bug: https://bugs.g10code.com/gnupg/issue894 g10 ChangeLog: 2008-03-25 David Shaw <dshaw@jabberwocky.com> (wk) * import.c (collapse_uids): Fix bug 894: possible memory corruption around deduplication of user IDs. Credits: Andrea Barisani Patch in trunk: svn diff -r4712:4713 svn://cvs.gnupg.org/gnupg/trunk/g10/import.c
oCERT Advisory: http://www.ocert.org/advisories/ocert-2008-1.html
Added.
Thanks, no GLSA for ~arch packages.
*** Bug 215782 has been marked as a duplicate of this bug. ***
