[pkg-gnupg-maint] Bug#1134532: Upgrade 'gnupg' to stable 2.5.x branch

[Simon Josefsson]

Package: gnupg2
Version: 2.4.9-4

We now get (what appears to be; see libgcrypt announcement below)
security bugs in Debian's 'gpg' as a consequence of Debian's 'gnupg'
being stuck on the EOL'd 2.4.x branch, instead of tracking the current
upstream-supported stable 2.5.x branch.

Will forky ship with GnuPG 2.4.x too?

The 2.4.x branch was declared deprecated quite some time ago, and the
EOL date is 2026-06-30 rapidly approaching.

I think the time is long overdue to move away from GnuPG 2.4.x and have
Debian ship with GnuPG 2.5.x.

So this is a bug report requsting that 'gnupg2' be updated to the stable
branch of 2.5.x.  I didn't see any similar bug already.

Do you want help working on this?  I could propose a 2.5.x branch
targetted at experimental if you are open to accept help.

Another approach is to package 2.5.x in a separate 'gnupg25' source
package.  Would you be open to that approach instead?  I suppose the
interaction with the 'gnupg2' package would be quite complex, so my gut
feeling is that this isn't the best of solutions.

/Simon

Werner Koch via Gnupg-devel <gnupg-devel at gnupg.org> writes:

> Hello!
>
> We are pleased to announce the availability of couple of new Libgcrypt
> versions: 1.12.2, 1.11.3, and 1.10.4 .  It is suggested to use 1.12.2
> which is fully compatible with all earlier versions.
>
> This version fixes a security bug [T8211] which can be used used to
> mount a DoS using ECDH encryption (with NIST, Brainpool, X448, or X25519
> curves).  Note that GnuPG versions since 2.5.7 are not affected by this
> bug due to the use of a different encryption API.
[snip]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1251 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20260421/b34df9e3/attachment.sig>