package/gnupg2: security bump to version 2.5.17

For release announce, see: https://lists.gnupg.org/pipermail/gnupg-announce/2026q1/000501.html gnupg2 version from 2.5.13 to 2.5.16 (inclusive) are affected by the following issue: A crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack buffer overflow in gpg-agent during the PKDECRYPT--kem=CMS handling. This can easily be used for a DoS but, worse, the memory corruption can very likely also be used to mount a remote code execution attack. The bug was introduced while changing an internal API to the FIPS required KEM API. Fixes: https://dev.gnupg.org/T8044 Signed-off-by: Julien Olivain <ju.o@free.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2026-01-28 12:37:49 +01:00
parent 69b623e4a9
commit deb650f221
2 changed files with 3 additions and 3 deletions
@@ -1,5 +1,5 @@
 # From https://www.gnupg.org/download/integrity_check.html
-sha1  3acefeef08c82a4d4a8ba36f95c2986fb925d359  gnupg-2.5.16.tar.bz2
-sha256  05144040fedb828ced2a6bafa2c4a0479ee4cceacf3b6d68ccc75b175ac13b7e  gnupg-2.5.16.tar.bz2
+sha1  ee0bc59eadf258b6d92131911b5dca6cabc89419  gnupg-2.5.17.tar.bz2
+sha256  2c1fbe20e2958fd8fb53cf37d7c38e84a900edc0d561a1c4af4bc3a10888685d  gnupg-2.5.17.tar.bz2
 # Locally calculated
 sha256  bc2d6664f6276fa0a72d57633b3ae68dc7dcb677b71018bf08c8e93e509f1357  COPYING
@@ -4,7 +4,7 @@
 #
 ################################################################################

-GNUPG2_VERSION = 2.5.16
+GNUPG2_VERSION = 2.5.17
 GNUPG2_SOURCE = gnupg-$(GNUPG2_VERSION).tar.bz2
 GNUPG2_SITE = https://gnupg.org/ftp/gcrypt/gnupg
 GNUPG2_LICENSE = GPL-3.0+