Fedora 43 has received an update for the gnupg2 package, which provides secure communication and data storage. The new version, 2.4.9-1.fc43 fixes several vulnerabilities, including a remote code execution issue via malformed ASCII armor and information disclosure and potential arbitrary code execution via out-of-bounds write.

Fedora 43 Update: gnupg2-2.4.9-1.fc43

[SECURITY] Fedora 43 Update: gnupg2-2.4.9-1.fc43

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2026-acea06489d
2026-01-05 01:21:17.734259+00:00
--------------------------------------------------------------------------------

Name : gnupg2
Product : Fedora 43
Version : 2.4.9
Release : 1.fc43
URL : https://www.gnupg.org/
Summary : Utility for secure communication and data storage
Description :
GnuPG is GNU's tool for secure communication and data storage. It can
be used to encrypt data and to create digital signatures. It includes
an advanced key management facility and is compliant with the proposed
OpenPGP Internet standard as described in RFC2440 and the S/MIME
standard as described by several RFCs.

GnuPG 2.0 is a newer version of GnuPG with additional support for
S/MIME. It has a different design philosophy that splits
functionality up into several modules. The S/MIME and smartcard functionality
is provided by the gnupg2-smime package.

--------------------------------------------------------------------------------
Update Information:

New upstream release 2.4.9 fixing several vulnerabilities
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jan 1 2026 Clemens Lang [cllang@redhat.com] - 2.4.9-1
- New upstream release 2.4.9
- Fixes CVE-2025-68973 ( https://gpg.fail/memcpy)
- Fixes https://gpg.fail/sha1
- Fixes https://gpg.fail/detached
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2425660 - Remote code execution in GnuPG via malformed ASCII armor
https://bugzilla.redhat.com/show_bug.cgi?id=2425660
[ 2 ] Bug #2425717 - CVE-2025-68973 gnupg2: GnuPG: Information disclosure and potential arbitrary code execution via out-of-bounds write [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2425717
[ 3 ] Bug #2425767 - CVE-2025-68972 gnupg2: GnuPG: Signature bypass via form feed character in signed messages [fedora-43]
https://bugzilla.redhat.com/show_bug.cgi?id=2425767
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2026-acea06489d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

--