Source: gnupg2 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for gnupg2. CVE-2025-30258[0]: | In GnuPG before 2.5.5, if a user chooses to import a certificate | with certain crafted subkey data that lacks a valid backsig or that | has incorrect usage flags, the user loses the ability to verify | signatures made from certain other signing keys, aka a "verification | DoS." https://lists.gnupg.org/pipermail/gnupg-announce/2025q1/000491.html https://dev.gnupg.org/T7527 https://dev.gnupg.org/rG48978ccb4e20866472ef18436a32744350a65158 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-30258 https://www.cve.org/CVERecord?id=CVE-2025-30258 Please adjust the affected versions in the BTS as needed.
