USN-7412-1: GnuPG vulnerability

Releases

• Ubuntu 24.10
• Ubuntu 24.04 LTS
• Ubuntu 22.04 LTS
• Ubuntu 20.04 LTS

Packages

• gnupg2 - GNU privacy guard - a free PGP replacement

Details

It was discovered that GnuPG incorrectly handled importing keys with
certain crafted subkey data. If a user or automated system were tricked
into importing a specially crafted key, a remote attacker may prevent users
from importing other keys in the future.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 24.10

• gnupg - 2.4.4-2ubuntu18.2
• gnupg2 - 2.4.4-2ubuntu18.2
• gpg - 2.4.4-2ubuntu18.2

Ubuntu 24.04

• gnupg - 2.4.4-2ubuntu17.2
• gnupg2 - 2.4.4-2ubuntu17.2
• gpg - 2.4.4-2ubuntu17.2

Ubuntu 22.04

• gnupg - 2.2.27-3ubuntu2.3
• gnupg2 - 2.2.27-3ubuntu2.3
• gpg - 2.2.27-3ubuntu2.3

Ubuntu 20.04

• gnupg - 2.2.19-3ubuntu2.4
• gnupg2 - 2.2.19-3ubuntu2.4
• gpg - 2.2.19-3ubuntu2.4

In general, a standard system update will make all the necessary changes.

References

• CVE-2025-30258