Version 2.2.18 of gnupg is now available. See https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html for details.
Yes, I've been waiting a bit on this to see if a quick fix is added for https://lists.gnupg.org/pipermail/gnupg-devel/2019-November/034487.html , but will likely bump it anyways later this week.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d39c36648f20fe75f0bbaf907bdc0b0bb48c7f5 commit 5d39c36648f20fe75f0bbaf907bdc0b0bb48c7f5 Author: Kristian Fiskerstrand <k_f@gentoo.org> AuthorDate: 2019-12-13 19:16:03 +0000 Commit: Kristian Fiskerstrand <k_f@gentoo.org> CommitDate: 2019-12-13 19:16:18 +0000 app-crypt/gnupg: New upstream version 2.2.19 Bug: https://bugs.gentoo.org/701616 Package-Manager: Portage-2.3.79, Repoman-2.3.16 Signed-off-by: Kristian Fiskerstrand <k_f@gentoo.org> app-crypt/gnupg/Manifest | 1 + app-crypt/gnupg/gnupg-2.2.19.ebuild | 152 ++++++++++++++++++++++++++++++++++++ 2 files changed, 153 insertions(+)
@maintainer(s), ok to cleanup?
(In reply to sam_c (Security Padawan) from comment #3) > @maintainer(s), ok to cleanup? Ignore me. The vulnerability is fixed in <2.2.19, so @maintainer(s), are we ok to stabilise or call yourself if appropriate?
s390 stable
sparc stable
amd64 stable
arm stable
arm64 stable
hppa stable
ia64 stable
ppc stable
ppc64 stable
x86 stable
GLSA vote: no.
(In reply to sam_c (Security Padawan) from comment #4) > The vulnerability is fixed in <2.2.19, so @maintainer(s), are we ok to > stabilise or call yourself if appropriate? This is meant to say 'fixed in 2.2.19.