diff mbox series

[wrynose,1/2] gnupg: Upgrade 2.5.17 -> 2.5.20

Message ID 20260630130358.71091-2-roland.kovacs@est.tech
State Rejected, archived
Delegated to: Yoann Congal
Headers show
Series gnupg update and fix outstanding CVE | expand

Commit Message

Roland Kovacs June 30, 2026, 1:03 p.m. UTC
Bug fixes included in this release:
   - gpg: Fix wrong assertion failure which could very rarely occur
     during key signature checking.  [rG693f5642f6]
   - gpg: Consider certify-only keys for revocation signature check.
     [T8196]
   - gpgsm: Fix possible double free in the CMS parser.  [T8240]
   - gpgsm: Fix possible too early removal of ephemeral keys.  [T8236]
   - gpgsm: Avoid emitting a final FAILURE status line if --status-fd
     is not used.  [rG69c27fe377]
   - gpgsm: Fix a regression in 2.5.19 for password encrypted GCM
     data.  [rG60a823c97b]
   - agent: Fix not using cache for pinentry loopback.  [rGd4b608a31f]
   - agent: Fix command PUT_SECRET by saving input line.  [rG1875bc185e]
   - keyboxd: Mark keys searched but not imported via LDAP correctly
     as ephemeral.  [T8048]
   - scdaemon: Avoid buffer overflow with SC-HSM cards providing RSA
     keys > 2k.  [T8244]
   - dirmngr: Fix uninitialized use of the dns_any union in
     dns_rr_cmp.  [T8251]
 Release-info: https://dev.gnupg.org/T7997

Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
---
 .../recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 rename meta/recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} (95%)

Comments

Yoann Congal June 30, 2026, 1:19 p.m. UTC | #1
On Tue Jun 30, 2026 at 3:03 PM CEST, Roland Kovács via lists.openembedded.org wrote:
> Bug fixes included in this release:
>    - gpg: Fix wrong assertion failure which could very rarely occur
>      during key signature checking.  [rG693f5642f6]
>    - gpg: Consider certify-only keys for revocation signature check.
>      [T8196]
>    - gpgsm: Fix possible double free in the CMS parser.  [T8240]
>    - gpgsm: Fix possible too early removal of ephemeral keys.  [T8236]
>    - gpgsm: Avoid emitting a final FAILURE status line if --status-fd
>      is not used.  [rG69c27fe377]
>    - gpgsm: Fix a regression in 2.5.19 for password encrypted GCM
>      data.  [rG60a823c97b]
>    - agent: Fix not using cache for pinentry loopback.  [rGd4b608a31f]
>    - agent: Fix command PUT_SECRET by saving input line.  [rG1875bc185e]
>    - keyboxd: Mark keys searched but not imported via LDAP correctly
>      as ephemeral.  [T8048]
>    - scdaemon: Avoid buffer overflow with SC-HSM cards providing RSA
>      keys > 2k.  [T8244]
>    - dirmngr: Fix uninitialized use of the dns_any union in
>      dns_rr_cmp.  [T8251]
>  Release-info: https://dev.gnupg.org/T7997
>
> Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>

Sorry but that URL also contains:
| New and extended features:
|  gpgsm: Implement GCM encryption. Note that decryption works since
|         version 2.3.2. [T3979]
|  gpgsm: New option --attribute and server command SETATTR to include
|         arbitrary signed or unsigned attributes into a signature.
|         Enabled only with libksba 1.7.0 or later. [T4537]
|  gpgsm: Introduce system attribute _signingCertificateV2. [rG0335a9cb04]
... which are new features, and thus, that upgrade is not acceptable for
stable branches.

> ---
>  .../recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>  rename meta/recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} (95%)
>
> diff --git a/meta/recipes-support/gnupg/gnupg_2.5.17.bb b/meta/recipes-support/gnupg/gnupg_2.5.20.bb
> similarity index 95%
> rename from meta/recipes-support/gnupg/gnupg_2.5.17.bb
> rename to meta/recipes-support/gnupg/gnupg_2.5.20.bb
> index fd6588769c..a1a50e2384 100644
> --- a/meta/recipes-support/gnupg/gnupg_2.5.17.bb
> +++ b/meta/recipes-support/gnupg/gnupg_2.5.20.bb
> @@ -16,6 +16,7 @@ inherit autotools gettext texinfo pkgconfig upstream-version-is-even
>  require drop-unknown-suffix.inc
>  
>  UPSTREAM_CHECK_URI = "https://gnupg.org/ftp/gcrypt/gnupg/"
> +SRCREV = "343d0cb8910441aa44c56ce8673a78e137040c87"
>  SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
>             file://0002-use-pkgconfig-instead-of-npth-config.patch \
>             file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \
> @@ -24,7 +25,7 @@ SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for-
>                                  file://relocate.patch"
>  SRC_URI:append:class-nativesdk = " file://relocate.patch"
>  
> -SRC_URI[sha256sum] = "2c1fbe20e2958fd8fb53cf37d7c38e84a900edc0d561a1c4af4bc3a10888685d"
> +SRC_URI[sha256sum] = "6461266e99c308419a379abe6c356d54c214136c4589bd65951091138989ffc6"
>  
>  EXTRA_OECONF = "--disable-ldap \
>  		--disable-ccid-driver \
diff mbox series

Patch

diff --git a/meta/recipes-support/gnupg/gnupg_2.5.17.bb b/meta/recipes-support/gnupg/gnupg_2.5.20.bb
similarity index 95%
rename from meta/recipes-support/gnupg/gnupg_2.5.17.bb
rename to meta/recipes-support/gnupg/gnupg_2.5.20.bb
index fd6588769c..a1a50e2384 100644
--- a/meta/recipes-support/gnupg/gnupg_2.5.17.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.5.20.bb
@@ -16,6 +16,7 @@  inherit autotools gettext texinfo pkgconfig upstream-version-is-even
 require drop-unknown-suffix.inc
 
 UPSTREAM_CHECK_URI = "https://gnupg.org/ftp/gcrypt/gnupg/"
+SRCREV = "343d0cb8910441aa44c56ce8673a78e137040c87"
 SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0002-use-pkgconfig-instead-of-npth-config.patch \
            file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \
@@ -24,7 +25,7 @@  SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for-
                                 file://relocate.patch"
 SRC_URI:append:class-nativesdk = " file://relocate.patch"
 
-SRC_URI[sha256sum] = "2c1fbe20e2958fd8fb53cf37d7c38e84a900edc0d561a1c4af4bc3a10888685d"
+SRC_URI[sha256sum] = "6461266e99c308419a379abe6c356d54c214136c4589bd65951091138989ffc6"
 
 EXTRA_OECONF = "--disable-ldap \
 		--disable-ccid-driver \