Security update for gpg2
| Announcement ID: | SUSE-SU-2026:20080-1 |
|---|---|
| Release Date: | 2026-01-14T10:23:16Z |
| Rating: | important |
| References: | |
| Cross-References: | |
| CVSS scores: |
|
| Affected Products: |
|
An update that solves one vulnerability and has three fixes can now be installed.
Description:
This update for gpg2 fixes the following issues:
- CVE-2025-68973: out-of-bounds write when processing specially crafted input in the armor parser can lead to memory corruption (bsc#1255715).
Other security fixes:
- gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures (bsc#1256246).
- gpg: Error out on unverified output for non-detached signatures (bsc#1256244).
- gpg: Deprecate the option --not-dash-escaped (bsc#1256390).
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
SUSE Linux Enterprise Server 16.0
zypper in -t patch SUSE-SLES-16.0-138=1 -
SUSE Linux Enterprise Server for SAP Applications 16.0
zypper in -t patch SUSE-SLES-16.0-138=1
Package List:
-
SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
- gpg2-debugsource-2.5.5-160000.3.1
- gpg2-tpm-2.5.5-160000.3.1
- dirmngr-2.5.5-160000.3.1
- gpg2-2.5.5-160000.3.1
- gpg2-tpm-debuginfo-2.5.5-160000.3.1
- dirmngr-debuginfo-2.5.5-160000.3.1
- gpg2-debuginfo-2.5.5-160000.3.1
-
SUSE Linux Enterprise Server 16.0 (noarch)
- gpg2-lang-2.5.5-160000.3.1
-
SUSE Linux Enterprise Server for SAP Applications 16.0 (ppc64le x86_64)
- gpg2-debugsource-2.5.5-160000.3.1
- gpg2-tpm-2.5.5-160000.3.1
- dirmngr-2.5.5-160000.3.1
- gpg2-2.5.5-160000.3.1
- gpg2-tpm-debuginfo-2.5.5-160000.3.1
- dirmngr-debuginfo-2.5.5-160000.3.1
- gpg2-debuginfo-2.5.5-160000.3.1
-
SUSE Linux Enterprise Server for SAP Applications 16.0 (noarch)
- gpg2-lang-2.5.5-160000.3.1