[scarthgap] gnupg: upgrade 2.4.8 -> 2.4.9

This release includes fix for CVE-2025-68973

Changelog:
==========
* gpg: Fix possible memory corruption in the armor parser.  [T7906]

* gpg: Avoid potential downgrade to SHA1 in 3rd party key
  signatures.  [rGddb012be7f]

* gpg: Error out on unverified output for non-detached signatures.
  [rG9d302f978b]

* gpg: Do not allow compressed key packets on import.  [T7014]

* scd: Fix a harmless read buffer over-read in a function used by
  PKCS#15 cards.  [T7662]

* dirmngr: Do not require a keyserver for "gpg --fetch-key".
  [T7693]

* agent: Fix ssh-agent's request_identities for skipped Brainpool
  keys.  [rG6bf5696c85]

Release-info: https://dev.gnupg.org/T8001

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 meta/recipes-support/gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-support/gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb} (97%)

Sent already 2 days ago...
https://lists.openembedded.org/g/openembedded-core/message/229168

Peter

-----Original Message-----
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Vijay Anusuri via lists.openembedded.org
Sent: Monday, January 12, 2026 8:15
To: openembedded-core@lists.openembedded.org
Cc: Vijay Anusuri <vanusuri@mvista.com>
Subject: [OE-core][scarthgap][patch] gnupg: upgrade 2.4.8 -> 2.4.9

This release includes fix for CVE-2025-68973

Changelog:
==========
* gpg: Fix possible memory corruption in the armor parser.  [T7906]

* gpg: Avoid potential downgrade to SHA1 in 3rd party key
  signatures.  [rGddb012be7f]

* gpg: Error out on unverified output for non-detached signatures.
  [rG9d302f978b]

* gpg: Do not allow compressed key packets on import.  [T7014]

* scd: Fix a harmless read buffer over-read in a function used by
  PKCS#15 cards.  [T7662]

* dirmngr: Do not require a keyserver for "gpg --fetch-key".
  [T7693]

* agent: Fix ssh-agent's request_identities for skipped Brainpool
  keys.  [rG6bf5696c85]

Release-info: https://dev.gnupg.org/T8001

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 meta/recipes-support/gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-support/gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb} (97%)

diff --git a/meta/recipes-support/gnupg/gnupg_2.4.8.bb b/meta/recipes-support/gnupg/gnupg_2.4.9.bb
similarity index 97%
rename from meta/recipes-support/gnupg/gnupg_2.4.8.bb
rename to meta/recipes-support/gnupg/gnupg_2.4.9.bb
index a6e777abf8..4f60a4e7b2 100644
--- a/meta/recipes-support/gnupg/gnupg_2.4.8.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.4.9.bb
@@ -23,7 +23,7 @@ SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for-
                                 file://relocate.patch"
 SRC_URI:append:class-nativesdk = " file://relocate.patch"
 
-SRC_URI[sha256sum] = "b58c80d79b04d3243ff49c1c3fc6b5f83138eb3784689563bcdd060595318616"
+SRC_URI[sha256sum] = "dd17ab2e9a04fd79d39d853f599cbc852062ddb9ab52a4ddeb4176fd8b302964"
 
 EXTRA_OECONF = "--disable-ldap \
 		--disable-ccid-driver \

Hi Peter,

Thanks for letting me know. Sorry, I missed your earlier patch — I see it
now.

Steve,

Please ignore my patch.

Thanks & Regards,
Vijay

On Mon, Jan 12, 2026 at 12:47 PM Marko, Peter <Peter.Marko@siemens.com>
wrote:

> Sent already 2 days ago...
> https://lists.openembedded.org/g/openembedded-core/message/229168
>
> Peter
>
> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <
> openembedded-core@lists.openembedded.org> On Behalf Of Vijay Anusuri via
> lists.openembedded.org
> Sent: Monday, January 12, 2026 8:15
> To: openembedded-core@lists.openembedded.org
> Cc: Vijay Anusuri <vanusuri@mvista.com>
> Subject: [OE-core][scarthgap][patch] gnupg: upgrade 2.4.8 -> 2.4.9
>
> This release includes fix for CVE-2025-68973
>
> Changelog:
> ==========
> * gpg: Fix possible memory corruption in the armor parser.  [T7906]
>
> * gpg: Avoid potential downgrade to SHA1 in 3rd party key
>   signatures.  [rGddb012be7f]
>
> * gpg: Error out on unverified output for non-detached signatures.
>   [rG9d302f978b]
>
> * gpg: Do not allow compressed key packets on import.  [T7014]
>
> * scd: Fix a harmless read buffer over-read in a function used by
>   PKCS#15 cards.  [T7662]
>
> * dirmngr: Do not require a keyserver for "gpg --fetch-key".
>   [T7693]
>
> * agent: Fix ssh-agent's request_identities for skipped Brainpool
>   keys.  [rG6bf5696c85]
>
> Release-info: https://dev.gnupg.org/T8001
>
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
>  meta/recipes-support/gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb} | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>  rename meta/recipes-support/gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb}
> (97%)
>
> diff --git a/meta/recipes-support/gnupg/gnupg_2.4.8.bb
> b/meta/recipes-support/gnupg/gnupg_2.4.9.bb
> similarity index 97%
> rename from meta/recipes-support/gnupg/gnupg_2.4.8.bb
> rename to meta/recipes-support/gnupg/gnupg_2.4.9.bb
> index a6e777abf8..4f60a4e7b2 100644
> --- a/meta/recipes-support/gnupg/gnupg_2.4.8.bb
> +++ b/meta/recipes-support/gnupg/gnupg_2.4.9.bb
> @@ -23,7 +23,7 @@ SRC_URI:append:class-native = "
> file://0001-configure.ac-use-a-custom-value-for-
>                                  file://relocate.patch"
>  SRC_URI:append:class-nativesdk = " file://relocate.patch"
>
> -SRC_URI[sha256sum] =
> "b58c80d79b04d3243ff49c1c3fc6b5f83138eb3784689563bcdd060595318616"
> +SRC_URI[sha256sum] =
> "dd17ab2e9a04fd79d39d853f599cbc852062ddb9ab52a4ddeb4176fd8b302964"
>
>  EXTRA_OECONF = "--disable-ldap \
>                 --disable-ccid-driver \
> --
> 2.43.0
>
>