All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Roland Kovács" <roland.kovacs@est.tech>
To: "openembedded-core@lists.openembedded.org"
	<openembedded-core@lists.openembedded.org>,
	"yoann.congal@smile.fr" <yoann.congal@smile.fr>
Subject: Re: [OE-core] [wrynose][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20
Date: Wed, 1 Jul 2026 06:51:20 +0000	[thread overview]
Message-ID: <b8208b7ba43f8405d351b61b2e35ce40ae7fc979.camel@est.tech> (raw)
In-Reply-To: <DJMEWS9R1XRF.1VEP9G7EHB1S6@smile.fr>

On Tue, 2026-06-30 at 15:19 +0200, Yoann Congal wrote:
> On Tue Jun 30, 2026 at 3:03 PM CEST, Roland Kovács via lists.openembedded.org wrote:
> > Bug fixes included in this release:
> >    - gpg: Fix wrong assertion failure which could very rarely occur
> >      during key signature checking.  [rG693f5642f6]
> >    - gpg: Consider certify-only keys for revocation signature check.
> >      [T8196]
> >    - gpgsm: Fix possible double free in the CMS parser.  [T8240]
> >    - gpgsm: Fix possible too early removal of ephemeral keys.  [T8236]
> >    - gpgsm: Avoid emitting a final FAILURE status line if --status-fd
> >      is not used.  [rG69c27fe377]
> >    - gpgsm: Fix a regression in 2.5.19 for password encrypted GCM
> >      data.  [rG60a823c97b]
> >    - agent: Fix not using cache for pinentry loopback.  [rGd4b608a31f]
> >    - agent: Fix command PUT_SECRET by saving input line.  [rG1875bc185e]
> >    - keyboxd: Mark keys searched but not imported via LDAP correctly
> >      as ephemeral.  [T8048]
> >    - scdaemon: Avoid buffer overflow with SC-HSM cards providing RSA
> >      keys > 2k.  [T8244]
> >    - dirmngr: Fix uninitialized use of the dns_any union in
> >      dns_rr_cmp.  [T8251]
> >  Release-info: https://dev.gnupg.org/T7997
> > 
> > Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
> 
> Sorry but that URL also contains:
> > New and extended features:
> >  gpgsm: Implement GCM encryption. Note that decryption works since
> >         version 2.3.2. [T3979]
> >  gpgsm: New option --attribute and server command SETATTR to include
> >         arbitrary signed or unsigned attributes into a signature.
> >         Enabled only with libksba 1.7.0 or later. [T4537]
> >  gpgsm: Introduce system attribute _signingCertificateV2. [rG0335a9cb04]
> ... which are new features, and thus, that upgrade is not acceptable for
> stable branches.
> 
Understood. Just for clarification, only bug fix release is accepted for stable branch, even if
there's no backwards incompatible change?

I'll remove the recipe update and only keep the CVE fix in V2.

> > ---
> >  .../recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> >  rename meta/recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} (95%)
> > 
> > diff --git a/meta/recipes-support/gnupg/gnupg_2.5.17.bb b/meta/recipes-
> > support/gnupg/gnupg_2.5.20.bb
> > similarity index 95%
> > rename from meta/recipes-support/gnupg/gnupg_2.5.17.bb
> > rename to meta/recipes-support/gnupg/gnupg_2.5.20.bb
> > index fd6588769c..a1a50e2384 100644
> > --- a/meta/recipes-support/gnupg/gnupg_2.5.17.bb
> > +++ b/meta/recipes-support/gnupg/gnupg_2.5.20.bb
> > @@ -16,6 +16,7 @@ inherit autotools gettext texinfo pkgconfig upstream-version-is-even
> >  require drop-unknown-suffix.inc
> >  
> >  UPSTREAM_CHECK_URI = "https://gnupg.org/ftp/gcrypt/gnupg/"
> > +SRCREV = "343d0cb8910441aa44c56ce8673a78e137040c87"
> >  SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
> >             file://0002-use-pkgconfig-instead-of-npth-config.patch \
> >             file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \
> > @@ -24,7 +25,7 @@ SRC_URI:append:class-native = "
> > file://0001-configure.ac-use-a-custom-value-for-
> >                                  file://relocate.patch"
> >  SRC_URI:append:class-nativesdk = " file://relocate.patch"
> >  
> > -SRC_URI[sha256sum] = "2c1fbe20e2958fd8fb53cf37d7c38e84a900edc0d561a1c4af4bc3a10888685d"
> > +SRC_URI[sha256sum] = "6461266e99c308419a379abe6c356d54c214136c4589bd65951091138989ffc6"
> >  
> >  EXTRA_OECONF = "--disable-ldap \
> >  		--disable-ccid-driver \
> 

Cheers,
	Roland

  reply	other threads:[~2026-07-01  6:51 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-30 13:03 [wrynose][PATCH 0/2] gnupg update and fix outstanding CVE Roland Kovacs
2026-06-30 13:03 ` [wrynose][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20 Roland Kovacs
2026-06-30 13:19   ` [OE-core] " Yoann Congal
2026-07-01  6:51     ` Roland Kovács [this message]
2026-07-01  7:48       ` Yoann Congal
2026-06-30 13:03 ` [wrynose][PATCH 2/2] gnupg: fix CVE-2026-57062 Roland Kovacs

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b8208b7ba43f8405d351b61b2e35ce40ae7fc979.camel@est.tech \
    --to=roland.kovacs@est.tech \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=yoann.congal@smile.fr \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.