On Sat, Mar 22, 2025 at 03:15:02PM +0100, Andreas Metzler wrote:
> On 2025-03-21 Moritz Mühlenhoff <j...@inutil.org> wrote:
> [...]
> > The following vulnerability was published for gnupg2.
>
> > CVE-2025-30258[0]:
> > | In GnuPG before 2.5.5, if a user chooses to import a certificate
> > | with certain crafted subkey data that lacks a valid backsig or that
> > | has incorrect usage flags, the user loses the ability to verify
> > | signatures made from certain other signing keys, aka a "verification
> > | DoS."
> [...]
>
> At first glance this probably does not warrant a DSA and can be fixed
> with a stable update.
Agreed, I'll mark it as no-dsa in the Security Tracker.
Cheers,
Moritz
