Debian Package Tracker
Register | Log in
Subscribe

gnupg2

GNU privacy guard - a free PGP replacement (dummy transitional package)

Choose email to subscribe with

general
  • source: gnupg2 (main)
  • version: 2.4.9-7
  • maintainer: Debian GnuPG Maintainers (archive) (DMD)
  • uploaders: Eric Dorland [DMD] – Daniel Kahn Gillmor [DMD] – Andreas Metzler [DMD]
  • arch: all any
  • std-ver: 4.7.4
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 2.2.27-2+deb11u2
  • o-o-sec: 2.2.27-2+deb11u3
  • oldstable: 2.2.40-1.1+deb12u2
  • stable: 2.4.7-21+deb13u1
  • testing: 2.4.9-5
  • unstable: 2.4.9-7
versioned links
  • 2.2.27-2+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.2.27-2+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.2.40-1.1+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.4.7-21+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.4.9-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.4.9-7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • dirmngr (10 bugs: 0, 6, 4, 0)
  • gnupg (88 bugs: 1, 66, 21, 0)
  • gnupg-agent (42 bugs: 0, 34, 8, 0)
  • gnupg-l10n
  • gnupg-utils
  • gnupg2 (37 bugs: 0, 23, 14, 0)
  • gpg (21 bugs: 0, 16, 5, 0)
  • gpg-agent (15 bugs: 0, 11, 4, 0)
  • gpg-wks-client (1 bugs: 0, 1, 0, 0)
  • gpg-wks-server
  • gpgconf (1 bugs: 0, 1, 0, 0)
  • gpgsm (5 bugs: 0, 5, 0, 0)
  • gpgv (4 bugs: 0, 4, 0, 0)
  • gpgv-static
  • gpgv-udeb
  • gpgv-win32
  • scdaemon (11 bugs: 0, 9, 2, 0)
  • tpm2daemon
action needed
2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:
  • CVE-2025-68972: In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.
  • CVE-2026-24882: In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.
Created: 2025-12-28 Last update: 2026-07-12 01:00
2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:
  • CVE-2025-68972: In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.
  • CVE-2026-24882: In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.
Created: 2025-12-28 Last update: 2026-07-12 01:00
3 security issues in bullseye high

There are 3 open security issues in bullseye.

1 important issue:
  • CVE-2026-57062: CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted. NOTE: this is related to CVE-2026-34182.
2 issues postponed or untriaged:
  • CVE-2025-30258: (postponed; to be fixed through a stable update) In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."
  • CVE-2025-68972: (postponed; to be fixed through a stable update) In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.
Created: 2026-06-24 Last update: 2026-07-12 01:00
3 security issues in bookworm high

There are 3 open security issues in bookworm.

1 important issue:
  • CVE-2026-57062: CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted. NOTE: this is related to CVE-2026-34182.
2 issues left for the package maintainer to handle:
  • CVE-2025-30258: (needs triaging) In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."
  • CVE-2025-68972: (needs triaging) In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-03-20 Last update: 2026-07-12 01:00
1 bug tagged help in the BTS normal
The BTS contains 1 bug tagged help, please consider helping the maintainer in dealing with it.
Created: 2019-03-21 Last update: 2026-07-12 23:30
5 bugs tagged patch in the BTS normal
The BTS contains patches fixing 5 bugs (6 if counting merged bugs), consider including or untagging them.
Created: 2026-06-02 Last update: 2026-07-12 23:30
lintian reports 3 warnings normal
Lintian reports 3 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2026-07-12 Last update: 2026-07-12 04:48
debian/patches: 52 patches to forward upstream low

Among the 57 debian patches available in version 2.4.9-7 of the package, we noticed the following issues:

  • 52 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2023-02-26 Last update: 2026-07-12 10:33
Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2026-07-12 Last update: 2026-07-12 10:00
2 low-priority security issues in trixie low

There are 2 open security issues in trixie.

2 issues left for the package maintainer to handle:
  • CVE-2025-68972: (needs triaging) In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.
  • CVE-2026-24882: (needs triaging) In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.

You can find information about how to handle these issues in the security team's documentation.

1 issue that should be fixed with the next stable update:
  • CVE-2026-57062: CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted. NOTE: this is related to CVE-2026-34182.
Created: 2025-12-28 Last update: 2026-07-12 01:00
testing migrations
  • excuses:
    • Migration status for gnupg2 (2.4.9-5 to 2.4.9-7): BLOCKED: Rejected/violates migration policy/introduces a regression
    • Issues preventing migration:
    • ∙ ∙ Autopkgtest for dracut/111-4: amd64: Regression ♻ (reference ♻), arm64: Pass, armhf: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻, loong64: Failed (not a regression) ♻ (reference ♻), ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Pass
    • ∙ ∙ Autopkgtest for flycheck/36.0-1: amd64: Regression ♻ (reference ♻), arm64: Pass, armhf: Pass, i386: Pass, loong64: Failed (not a regression) ♻ (reference ♻), ppc64el: Pass, riscv64: Pass, s390x: Pass
    • ∙ ∙ Autopkgtest for gnupg2/2.4.9-7: amd64: Pass, arm64: Pass, armhf: Pass, i386: Failed (not a regression) ♻ (reference ♻), loong64: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
    • ∙ ∙ Autopkgtest for libreoffice/4:26.2.4.2-1: amd64: Pass, arm64: Test triggered (failure will be ignored), armhf: Test triggered (failure will be ignored), i386: Test triggered (failure will be ignored), loong64: Failed (not a regression) ♻ (reference ♻), ppc64el: Pass, riscv64: Pass, s390x: Pass
    • ∙ ∙ Autopkgtest for lintian/2.137.1: amd64: Pass, arm64: Pass, armhf: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Pass
    • ∙ ∙ Autopkgtest for ostree/2026.1-1: s390x: Pass ♻ (reference ♻)
    • ∙ ∙ Too young, only 1 of 5 days old
    • Additional info (not blocking):
    • ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/g/gnupg2.html
    • ∙ ∙ Reproduced on amd64 - info
    • ∙ ∙ Reproduced on arm64 - info
    • ∙ ∙ Reproduced on armhf - info
    • ∙ ∙ Reproduced on i386 - info
    • Not considered
news
[rss feed]
  • [2026-07-11] Accepted gnupg2 2.4.9-7 (source) into unstable (Andreas Metzler)
  • [2026-07-04] Accepted gnupg2 2.4.9-6 (source) into experimental (Andreas Metzler)
  • [2026-06-29] gnupg2 2.4.9-5 MIGRATED to testing (Debian testing watch)
  • [2026-06-23] Accepted gnupg2 2.4.9-5 (source) into unstable (Andreas Metzler)
  • [2026-03-09] gnupg2 2.4.9-4 MIGRATED to testing (Debian testing watch)
  • [2026-03-05] Accepted gnupg2 2.4.9-4 (source) into unstable (Andreas Metzler)
  • [2026-02-28] Accepted gnupg2 2.4.9-3 (source) into experimental (Andreas Metzler)
  • [2026-02-21] Accepted gnupg2 2.4.9-2 (source) into experimental (Andreas Metzler)
  • [2026-01-14] Accepted gnupg2 2.2.27-2+deb11u3 (source) into oldoldstable-security (Roberto C. Sánchez) (signed by: Roberto C. Sanchez)
  • [2026-01-06] gnupg2 2.4.8-5 MIGRATED to testing (Debian testing watch)
  • [2026-01-03] Accepted gnupg2 2.2.40-1.1+deb12u2 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: dkg@debian.org)
  • [2026-01-01] Accepted gnupg2 2.4.7-21+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Andreas Metzler)
  • [2025-12-30] Accepted gnupg2 2.4.9-1 (source) into experimental (Daniel Kahn Gillmor) (signed by: dkg@debian.org)
  • [2025-12-30] Accepted gnupg2 2.4.8-6 (source) into experimental (Andreas Metzler)
  • [2025-12-29] Accepted gnupg2 2.4.8-5 (source) into unstable (Andreas Metzler)
  • [2025-10-26] gnupg2 2.4.8-4 MIGRATED to testing (Debian testing watch)
  • [2025-10-22] Accepted gnupg2 2.4.8-4 (source) into unstable (Daniel Kahn Gillmor) (signed by: dkg@debian.org)
  • [2025-08-29] gnupg2 2.4.8-3 MIGRATED to testing (Debian testing watch)
  • [2025-08-21] Accepted gnupg2 2.4.8-3 (source) into unstable (Andreas Metzler)
  • [2025-08-19] gnupg2 2.4.8-2 MIGRATED to testing (Debian testing watch)
  • [2025-08-11] Accepted gnupg2 2.4.8-2 (source) into unstable (Andreas Metzler)
  • [2025-06-29] Accepted gnupg2 2.4.8-1 (source) into experimental (Andreas Metzler)
  • [2025-06-21] Accepted gnupg2 2.2.40-1.1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Andreas Metzler)
  • [2025-06-06] gnupg2 2.4.7-21 MIGRATED to testing (Debian testing watch)
  • [2025-06-01] Accepted gnupg2 2.4.7-21 (source) into unstable (Andreas Metzler)
  • [2025-06-01] gnupg2 2.4.7-19 MIGRATED to testing (Debian testing watch)
  • [2025-05-31] Accepted gnupg2 2.4.7-20 (source) into experimental (Andreas Metzler)
  • [2025-05-14] Accepted gnupg2 2.4.7-19 (source) into unstable (Andreas Metzler)
  • [2025-05-11] Accepted gnupg2 2.4.7-18 (source) into experimental (Andreas Metzler)
  • [2025-05-09] gnupg2 2.4.7-17 MIGRATED to testing (Debian testing watch)
  • 1
  • 2
bugs [bug history graph]
  • all: 234 246
  • RC: 2
  • I&N: 175 184
  • M&W: 56 59
  • F&P: 1
  • patch: 5 6
  • help: 1
links
  • homepage
  • lintian (0, 3)
  • buildd: logs, reproducibility, cross
  • popcon
  • browse source code
  • other distros
  • security tracker
  • l10n (-, 67)
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 2.4.9-4ubuntu1
  • patches for 2.4.9-4ubuntu1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing