| Message ID | 20260630130358.71091-2-roland.kovacs@est.tech |
|---|---|
| State | Rejected, archived |
| Delegated to: | Yoann Congal |
| Headers | show |
| Series | gnupg update and fix outstanding CVE | expand |
On Tue Jun 30, 2026 at 3:03 PM CEST, Roland Kovács via lists.openembedded.org wrote: > Bug fixes included in this release: > - gpg: Fix wrong assertion failure which could very rarely occur > during key signature checking. [rG693f5642f6] > - gpg: Consider certify-only keys for revocation signature check. > [T8196] > - gpgsm: Fix possible double free in the CMS parser. [T8240] > - gpgsm: Fix possible too early removal of ephemeral keys. [T8236] > - gpgsm: Avoid emitting a final FAILURE status line if --status-fd > is not used. [rG69c27fe377] > - gpgsm: Fix a regression in 2.5.19 for password encrypted GCM > data. [rG60a823c97b] > - agent: Fix not using cache for pinentry loopback. [rGd4b608a31f] > - agent: Fix command PUT_SECRET by saving input line. [rG1875bc185e] > - keyboxd: Mark keys searched but not imported via LDAP correctly > as ephemeral. [T8048] > - scdaemon: Avoid buffer overflow with SC-HSM cards providing RSA > keys > 2k. [T8244] > - dirmngr: Fix uninitialized use of the dns_any union in > dns_rr_cmp. [T8251] > Release-info: https://dev.gnupg.org/T7997 > > Signed-off-by: Roland Kovacs <roland.kovacs@est.tech> Sorry but that URL also contains: | New and extended features: | gpgsm: Implement GCM encryption. Note that decryption works since | version 2.3.2. [T3979] | gpgsm: New option --attribute and server command SETATTR to include | arbitrary signed or unsigned attributes into a signature. | Enabled only with libksba 1.7.0 or later. [T4537] | gpgsm: Introduce system attribute _signingCertificateV2. [rG0335a9cb04] ... which are new features, and thus, that upgrade is not acceptable for stable branches. > --- > .../recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > rename meta/recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} (95%) > > diff --git a/meta/recipes-support/gnupg/gnupg_2.5.17.bb b/meta/recipes-support/gnupg/gnupg_2.5.20.bb > similarity index 95% > rename from meta/recipes-support/gnupg/gnupg_2.5.17.bb > rename to meta/recipes-support/gnupg/gnupg_2.5.20.bb > index fd6588769c..a1a50e2384 100644 > --- a/meta/recipes-support/gnupg/gnupg_2.5.17.bb > +++ b/meta/recipes-support/gnupg/gnupg_2.5.20.bb > @@ -16,6 +16,7 @@ inherit autotools gettext texinfo pkgconfig upstream-version-is-even > require drop-unknown-suffix.inc > > UPSTREAM_CHECK_URI = "https://gnupg.org/ftp/gcrypt/gnupg/" > +SRCREV = "343d0cb8910441aa44c56ce8673a78e137040c87" > SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ > file://0002-use-pkgconfig-instead-of-npth-config.patch \ > file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \ > @@ -24,7 +25,7 @@ SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for- > file://relocate.patch" > SRC_URI:append:class-nativesdk = " file://relocate.patch" > > -SRC_URI[sha256sum] = "2c1fbe20e2958fd8fb53cf37d7c38e84a900edc0d561a1c4af4bc3a10888685d" > +SRC_URI[sha256sum] = "6461266e99c308419a379abe6c356d54c214136c4589bd65951091138989ffc6" > > EXTRA_OECONF = "--disable-ldap \ > --disable-ccid-driver \
diff --git a/meta/recipes-support/gnupg/gnupg_2.5.17.bb b/meta/recipes-support/gnupg/gnupg_2.5.20.bb similarity index 95% rename from meta/recipes-support/gnupg/gnupg_2.5.17.bb rename to meta/recipes-support/gnupg/gnupg_2.5.20.bb index fd6588769c..a1a50e2384 100644 --- a/meta/recipes-support/gnupg/gnupg_2.5.17.bb +++ b/meta/recipes-support/gnupg/gnupg_2.5.20.bb @@ -16,6 +16,7 @@ inherit autotools gettext texinfo pkgconfig upstream-version-is-even require drop-unknown-suffix.inc UPSTREAM_CHECK_URI = "https://gnupg.org/ftp/gcrypt/gnupg/" +SRCREV = "343d0cb8910441aa44c56ce8673a78e137040c87" SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ file://0002-use-pkgconfig-instead-of-npth-config.patch \ file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \ @@ -24,7 +25,7 @@ SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for- file://relocate.patch" SRC_URI:append:class-nativesdk = " file://relocate.patch" -SRC_URI[sha256sum] = "2c1fbe20e2958fd8fb53cf37d7c38e84a900edc0d561a1c4af4bc3a10888685d" +SRC_URI[sha256sum] = "6461266e99c308419a379abe6c356d54c214136c4589bd65951091138989ffc6" EXTRA_OECONF = "--disable-ldap \ --disable-ccid-driver \
Bug fixes included in this release: - gpg: Fix wrong assertion failure which could very rarely occur during key signature checking. [rG693f5642f6] - gpg: Consider certify-only keys for revocation signature check. [T8196] - gpgsm: Fix possible double free in the CMS parser. [T8240] - gpgsm: Fix possible too early removal of ephemeral keys. [T8236] - gpgsm: Avoid emitting a final FAILURE status line if --status-fd is not used. [rG69c27fe377] - gpgsm: Fix a regression in 2.5.19 for password encrypted GCM data. [rG60a823c97b] - agent: Fix not using cache for pinentry loopback. [rGd4b608a31f] - agent: Fix command PUT_SECRET by saving input line. [rG1875bc185e] - keyboxd: Mark keys searched but not imported via LDAP correctly as ephemeral. [T8048] - scdaemon: Avoid buffer overflow with SC-HSM cards providing RSA keys > 2k. [T8244] - dirmngr: Fix uninitialized use of the dns_any union in dns_rr_cmp. [T8251] Release-info: https://dev.gnupg.org/T7997 Signed-off-by: Roland Kovacs <roland.kovacs@est.tech> --- .../recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) rename meta/recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} (95%)