From e752ba08064339f2208cc351aa026d0aea329dbb Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 5 Jan 2026 12:59:17 -0800 Subject: [PATCH 1/9] [AUTOPATCHER-CORE] Upgrade `gnupg2` to 2.4.9 for CVE-2025-68973 [HIGH] (#15430) Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com> (cherry picked from commit 5936bd63fe539c2eb4de616c3f936d1de63f6969) --- SPECS/gnupg2/gnupg2.signatures.json | 9 ++++++++- SPECS/gnupg2/gnupg2.spec | 9 +++++++++ cgmanifest.json | 5 +++++ .../resources/manifests/package/pkggen_core_aarch64.txt | 5 +++++ .../resources/manifests/package/pkggen_core_x86_64.txt | 5 +++++ .../resources/manifests/package/toolchain_aarch64.txt | 6 ++++++ toolkit/resources/manifests/package/toolchain_x86_64.txt | 6 ++++++ 7 files changed, 44 insertions(+), 1 deletion(-) diff --git a/SPECS/gnupg2/gnupg2.signatures.json b/SPECS/gnupg2/gnupg2.signatures.json index caf31269c7a..5ff7bb76875 100644 --- a/SPECS/gnupg2/gnupg2.signatures.json +++ b/SPECS/gnupg2/gnupg2.signatures.json @@ -1,5 +1,12 @@ { +<<<<<<< HEAD "Signatures": { "gnupg-2.4.8.tar.bz2": "b58c80d79b04d3243ff49c1c3fc6b5f83138eb3784689563bcdd060595318616" } -} \ No newline at end of file +} +======= + "Signatures": { + "gnupg-2.4.9.tar.bz2": "dd17ab2e9a04fd79d39d853f599cbc852062ddb9ab52a4ddeb4176fd8b302964" + } +} +>>>>>>> 5936bd63f ([AUTOPATCHER-CORE] Upgrade `gnupg2` to 2.4.9 for CVE-2025-68973 [HIGH] (#15430)) diff --git a/SPECS/gnupg2/gnupg2.spec b/SPECS/gnupg2/gnupg2.spec index 46217b46551..e2298de0cad 100644 --- a/SPECS/gnupg2/gnupg2.spec +++ b/SPECS/gnupg2/gnupg2.spec @@ -1,6 +1,10 @@ Summary: OpenPGP standard implementation used for encrypted communication and data storage. Name: gnupg2 +<<<<<<< HEAD Version: 2.4.8 +======= +Version: 2.4.9 +>>>>>>> 5936bd63f ([AUTOPATCHER-CORE] Upgrade `gnupg2` to 2.4.9 for CVE-2025-68973 [HIGH] (#15430)) Release: 1%{?dist} License: BSD and CC0 and GPLv2+ and LGPLv2+ Vendor: Microsoft Corporation @@ -104,8 +108,13 @@ ln -s $(pwd)/bin/gpg $(pwd)/bin/gpg2 %defattr(-,root,root) %changelog +<<<<<<< HEAD * Mon Dec 22 2025 Ratiranjan Behera - 2.4.8-1 - Upgrade gnupg2 to 2.4.8 for CVE-2025-30258 +======= +* Mon Jan 05 2026 CBL-Mariner Servicing Account - 2.4.9-1 +- Auto-upgrade to 2.4.9 - for CVE-2025-68973 +>>>>>>> 5936bd63f ([AUTOPATCHER-CORE] Upgrade `gnupg2` to 2.4.9 for CVE-2025-68973 [HIGH] (#15430)) * Mon Jun 23 2025 Kavya Sree Kaitepalli - 2.4.7-1 - Upgrade to version 2.4.7 diff --git a/cgmanifest.json b/cgmanifest.json index b126a1a7dd0..75c4f8ae4ad 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -4610,8 +4610,13 @@ "type": "other", "other": { "name": "gnupg2", +<<<<<<< HEAD "version": "2.4.8", "downloadUrl": "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2" +======= + "version": "2.4.9", + "downloadUrl": "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.9.tar.bz2" +>>>>>>> 5936bd63f ([AUTOPATCHER-CORE] Upgrade `gnupg2` to 2.4.9 for CVE-2025-68973 [HIGH] (#15430)) } } }, diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index eda98b64abe..4f8517036cb 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -228,8 +228,13 @@ libksba-devel-1.6.4-1.azl3.aarch64.rpm libxslt-1.1.43-3.azl3.aarch64.rpm npth-1.6-4.azl3.aarch64.rpm pinentry-1.2.1-1.azl3.aarch64.rpm +<<<<<<< HEAD gnupg2-2.4.8-1.azl3.aarch64.rpm gnupg2-lang-2.4.8-1.azl3.aarch64.rpm +======= +gnupg2-2.4.9-1.azl3.aarch64.rpm +gnupg2-lang-2.4.9-1.azl3.aarch64.rpm +>>>>>>> 5936bd63f ([AUTOPATCHER-CORE] Upgrade `gnupg2` to 2.4.9 for CVE-2025-68973 [HIGH] (#15430)) gpgme-1.23.2-2.azl3.aarch64.rpm azurelinux-repos-shared-3.0-5.azl3.noarch.rpm azurelinux-repos-3.0-5.azl3.noarch.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index ad14d358cfa..2406d009dee 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -228,8 +228,13 @@ libksba-devel-1.6.4-1.azl3.x86_64.rpm libxslt-1.1.43-3.azl3.x86_64.rpm npth-1.6-4.azl3.x86_64.rpm pinentry-1.2.1-1.azl3.x86_64.rpm +<<<<<<< HEAD gnupg2-2.4.8-1.azl3.x86_64.rpm gnupg2-lang-2.4.8-1.azl3.x86_64.rpm +======= +gnupg2-2.4.9-1.azl3.x86_64.rpm +gnupg2-lang-2.4.9-1.azl3.x86_64.rpm +>>>>>>> 5936bd63f ([AUTOPATCHER-CORE] Upgrade `gnupg2` to 2.4.9 for CVE-2025-68973 [HIGH] (#15430)) gpgme-1.23.2-2.azl3.x86_64.rpm azurelinux-repos-shared-3.0-5.azl3.noarch.rpm azurelinux-repos-3.0-5.azl3.noarch.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index bdcc433a468..430417b3cd4 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -140,9 +140,15 @@ glibc-tools-2.38-16.azl3.aarch64.rpm gmp-6.3.0-1.azl3.aarch64.rpm gmp-debuginfo-6.3.0-1.azl3.aarch64.rpm gmp-devel-6.3.0-1.azl3.aarch64.rpm +<<<<<<< HEAD gnupg2-2.4.8-1.azl3.aarch64.rpm gnupg2-debuginfo-2.4.8-1.azl3.aarch64.rpm gnupg2-lang-2.4.8-1.azl3.aarch64.rpm +======= +gnupg2-2.4.9-1.azl3.aarch64.rpm +gnupg2-debuginfo-2.4.9-1.azl3.aarch64.rpm +gnupg2-lang-2.4.9-1.azl3.aarch64.rpm +>>>>>>> 5936bd63f ([AUTOPATCHER-CORE] Upgrade `gnupg2` to 2.4.9 for CVE-2025-68973 [HIGH] (#15430)) gperf-3.1-5.azl3.aarch64.rpm gperf-debuginfo-3.1-5.azl3.aarch64.rpm gpgme-1.23.2-2.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index a2cdce447da..9469b49ce45 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -147,9 +147,15 @@ glibc-tools-2.38-16.azl3.x86_64.rpm gmp-6.3.0-1.azl3.x86_64.rpm gmp-debuginfo-6.3.0-1.azl3.x86_64.rpm gmp-devel-6.3.0-1.azl3.x86_64.rpm +<<<<<<< HEAD gnupg2-2.4.8-1.azl3.x86_64.rpm gnupg2-debuginfo-2.4.8-1.azl3.x86_64.rpm gnupg2-lang-2.4.8-1.azl3.x86_64.rpm +======= +gnupg2-2.4.9-1.azl3.x86_64.rpm +gnupg2-debuginfo-2.4.9-1.azl3.x86_64.rpm +gnupg2-lang-2.4.9-1.azl3.x86_64.rpm +>>>>>>> 5936bd63f ([AUTOPATCHER-CORE] Upgrade `gnupg2` to 2.4.9 for CVE-2025-68973 [HIGH] (#15430)) gperf-3.1-5.azl3.x86_64.rpm gperf-debuginfo-3.1-5.azl3.x86_64.rpm gpgme-1.23.2-2.azl3.x86_64.rpm From 3eff16758f42844503f4f747f909eec39fe1fa2c Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 5 Jan 2026 13:06:55 -0800 Subject: [PATCH 2/9] Conflicts resolved by Auto-Cherry Pick for SPECS/gnupg2/gnupg2.signatures.json --- SPECS/gnupg2/gnupg2.signatures.json | 7 ------- 1 file changed, 7 deletions(-) diff --git a/SPECS/gnupg2/gnupg2.signatures.json b/SPECS/gnupg2/gnupg2.signatures.json index 5ff7bb76875..253cb6ed082 100644 --- a/SPECS/gnupg2/gnupg2.signatures.json +++ b/SPECS/gnupg2/gnupg2.signatures.json @@ -1,12 +1,5 @@ { -<<<<<<< HEAD - "Signatures": { - "gnupg-2.4.8.tar.bz2": "b58c80d79b04d3243ff49c1c3fc6b5f83138eb3784689563bcdd060595318616" - } -} -======= "Signatures": { "gnupg-2.4.9.tar.bz2": "dd17ab2e9a04fd79d39d853f599cbc852062ddb9ab52a4ddeb4176fd8b302964" } } ->>>>>>> 5936bd63f ([AUTOPATCHER-CORE] Upgrade `gnupg2` to 2.4.9 for CVE-2025-68973 [HIGH] (#15430)) From abe3173c2d7458412ee2d6f31db2b1fbf5a60394 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 5 Jan 2026 13:06:56 -0800 Subject: [PATCH 3/9] Conflicts resolved by Auto-Cherry Pick for SPECS/gnupg2/gnupg2.spec --- SPECS/gnupg2/gnupg2.spec | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/SPECS/gnupg2/gnupg2.spec b/SPECS/gnupg2/gnupg2.spec index e2298de0cad..40012d0bdc7 100644 --- a/SPECS/gnupg2/gnupg2.spec +++ b/SPECS/gnupg2/gnupg2.spec @@ -1,10 +1,6 @@ Summary: OpenPGP standard implementation used for encrypted communication and data storage. Name: gnupg2 -<<<<<<< HEAD -Version: 2.4.8 -======= Version: 2.4.9 ->>>>>>> 5936bd63f ([AUTOPATCHER-CORE] Upgrade `gnupg2` to 2.4.9 for CVE-2025-68973 [HIGH] (#15430)) Release: 1%{?dist} License: BSD and CC0 and GPLv2+ and LGPLv2+ Vendor: Microsoft Corporation @@ -108,14 +104,10 @@ ln -s $(pwd)/bin/gpg $(pwd)/bin/gpg2 %defattr(-,root,root) %changelog -<<<<<<< HEAD -* Mon Dec 22 2025 Ratiranjan Behera - 2.4.8-1 -- Upgrade gnupg2 to 2.4.8 for CVE-2025-30258 -======= * Mon Jan 05 2026 CBL-Mariner Servicing Account - 2.4.9-1 - Auto-upgrade to 2.4.9 - for CVE-2025-68973 ->>>>>>> 5936bd63f ([AUTOPATCHER-CORE] Upgrade `gnupg2` to 2.4.9 for CVE-2025-68973 [HIGH] (#15430)) - +* Mon Dec 22 2025 Ratiranjan Behera - 2.4.9-2 +- Upgrade gnupg2 to 2.4.8 for CVE-2025-30258 * Mon Jun 23 2025 Kavya Sree Kaitepalli - 2.4.7-1 - Upgrade to version 2.4.7 From 6f99e31191d321070b771406787e398d688ec493 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 5 Jan 2026 13:06:59 -0800 Subject: [PATCH 4/9] Conflicts resolved by Auto-Cherry Pick for cgmanifest.json --- cgmanifest.json | 5 ----- 1 file changed, 5 deletions(-) diff --git a/cgmanifest.json b/cgmanifest.json index 75c4f8ae4ad..f4b4dd09fa4 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -4610,13 +4610,8 @@ "type": "other", "other": { "name": "gnupg2", -<<<<<<< HEAD - "version": "2.4.8", - "downloadUrl": "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2" -======= "version": "2.4.9", "downloadUrl": "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.9.tar.bz2" ->>>>>>> 5936bd63f ([AUTOPATCHER-CORE] Upgrade `gnupg2` to 2.4.9 for CVE-2025-68973 [HIGH] (#15430)) } } }, From 28265defde4f365270a0e9c5be3b65d5faa21149 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 5 Jan 2026 13:07:01 -0800 Subject: [PATCH 5/9] Conflicts resolved by Auto-Cherry Pick for toolkit/resources/manifests/package/pkggen_core_aarch64.txt --- toolkit/resources/manifests/package/pkggen_core_aarch64.txt | 5 ----- 1 file changed, 5 deletions(-) diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 4f8517036cb..3351c4ae8e1 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -228,13 +228,8 @@ libksba-devel-1.6.4-1.azl3.aarch64.rpm libxslt-1.1.43-3.azl3.aarch64.rpm npth-1.6-4.azl3.aarch64.rpm pinentry-1.2.1-1.azl3.aarch64.rpm -<<<<<<< HEAD -gnupg2-2.4.8-1.azl3.aarch64.rpm -gnupg2-lang-2.4.8-1.azl3.aarch64.rpm -======= gnupg2-2.4.9-1.azl3.aarch64.rpm gnupg2-lang-2.4.9-1.azl3.aarch64.rpm ->>>>>>> 5936bd63f ([AUTOPATCHER-CORE] Upgrade `gnupg2` to 2.4.9 for CVE-2025-68973 [HIGH] (#15430)) gpgme-1.23.2-2.azl3.aarch64.rpm azurelinux-repos-shared-3.0-5.azl3.noarch.rpm azurelinux-repos-3.0-5.azl3.noarch.rpm From 713dd0a7699d3717eb91a9d3a43e687f6faed308 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 5 Jan 2026 13:07:02 -0800 Subject: [PATCH 6/9] Conflicts resolved by Auto-Cherry Pick for toolkit/resources/manifests/package/pkggen_core_x86_64.txt --- toolkit/resources/manifests/package/pkggen_core_x86_64.txt | 5 ----- 1 file changed, 5 deletions(-) diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 2406d009dee..f5a901deaa4 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -228,13 +228,8 @@ libksba-devel-1.6.4-1.azl3.x86_64.rpm libxslt-1.1.43-3.azl3.x86_64.rpm npth-1.6-4.azl3.x86_64.rpm pinentry-1.2.1-1.azl3.x86_64.rpm -<<<<<<< HEAD -gnupg2-2.4.8-1.azl3.x86_64.rpm -gnupg2-lang-2.4.8-1.azl3.x86_64.rpm -======= gnupg2-2.4.9-1.azl3.x86_64.rpm gnupg2-lang-2.4.9-1.azl3.x86_64.rpm ->>>>>>> 5936bd63f ([AUTOPATCHER-CORE] Upgrade `gnupg2` to 2.4.9 for CVE-2025-68973 [HIGH] (#15430)) gpgme-1.23.2-2.azl3.x86_64.rpm azurelinux-repos-shared-3.0-5.azl3.noarch.rpm azurelinux-repos-3.0-5.azl3.noarch.rpm From 22590de9f14f117b30687558b533ce1c9a3b0c8f Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 5 Jan 2026 13:07:04 -0800 Subject: [PATCH 7/9] Conflicts resolved by Auto-Cherry Pick for toolkit/resources/manifests/package/toolchain_aarch64.txt --- toolkit/resources/manifests/package/toolchain_aarch64.txt | 6 ------ 1 file changed, 6 deletions(-) diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 430417b3cd4..44d878a52dc 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -140,15 +140,9 @@ glibc-tools-2.38-16.azl3.aarch64.rpm gmp-6.3.0-1.azl3.aarch64.rpm gmp-debuginfo-6.3.0-1.azl3.aarch64.rpm gmp-devel-6.3.0-1.azl3.aarch64.rpm -<<<<<<< HEAD -gnupg2-2.4.8-1.azl3.aarch64.rpm -gnupg2-debuginfo-2.4.8-1.azl3.aarch64.rpm -gnupg2-lang-2.4.8-1.azl3.aarch64.rpm -======= gnupg2-2.4.9-1.azl3.aarch64.rpm gnupg2-debuginfo-2.4.9-1.azl3.aarch64.rpm gnupg2-lang-2.4.9-1.azl3.aarch64.rpm ->>>>>>> 5936bd63f ([AUTOPATCHER-CORE] Upgrade `gnupg2` to 2.4.9 for CVE-2025-68973 [HIGH] (#15430)) gperf-3.1-5.azl3.aarch64.rpm gperf-debuginfo-3.1-5.azl3.aarch64.rpm gpgme-1.23.2-2.azl3.aarch64.rpm From fd6cbffa43847f507c6370ab2e3c01aa207a2911 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 5 Jan 2026 13:07:06 -0800 Subject: [PATCH 8/9] Conflicts resolved by Auto-Cherry Pick for toolkit/resources/manifests/package/toolchain_x86_64.txt --- toolkit/resources/manifests/package/toolchain_x86_64.txt | 6 ------ 1 file changed, 6 deletions(-) diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 9469b49ce45..b2f695e5a8c 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -147,15 +147,9 @@ glibc-tools-2.38-16.azl3.x86_64.rpm gmp-6.3.0-1.azl3.x86_64.rpm gmp-debuginfo-6.3.0-1.azl3.x86_64.rpm gmp-devel-6.3.0-1.azl3.x86_64.rpm -<<<<<<< HEAD -gnupg2-2.4.8-1.azl3.x86_64.rpm -gnupg2-debuginfo-2.4.8-1.azl3.x86_64.rpm -gnupg2-lang-2.4.8-1.azl3.x86_64.rpm -======= gnupg2-2.4.9-1.azl3.x86_64.rpm gnupg2-debuginfo-2.4.9-1.azl3.x86_64.rpm gnupg2-lang-2.4.9-1.azl3.x86_64.rpm ->>>>>>> 5936bd63f ([AUTOPATCHER-CORE] Upgrade `gnupg2` to 2.4.9 for CVE-2025-68973 [HIGH] (#15430)) gperf-3.1-5.azl3.x86_64.rpm gperf-debuginfo-3.1-5.azl3.x86_64.rpm gpgme-1.23.2-2.azl3.x86_64.rpm From 6595029de61f34d95d5127ceabc2eba2468db499 Mon Sep 17 00:00:00 2001 From: jslobodzian Date: Mon, 5 Jan 2026 17:04:33 -0500 Subject: [PATCH 9/9] Update changelog for gnupg2 version upgrades --- SPECS/gnupg2/gnupg2.spec | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/SPECS/gnupg2/gnupg2.spec b/SPECS/gnupg2/gnupg2.spec index 40012d0bdc7..b5228c7fa14 100644 --- a/SPECS/gnupg2/gnupg2.spec +++ b/SPECS/gnupg2/gnupg2.spec @@ -106,8 +106,10 @@ ln -s $(pwd)/bin/gpg $(pwd)/bin/gpg2 %changelog * Mon Jan 05 2026 CBL-Mariner Servicing Account - 2.4.9-1 - Auto-upgrade to 2.4.9 - for CVE-2025-68973 -* Mon Dec 22 2025 Ratiranjan Behera - 2.4.9-2 + +* Mon Dec 22 2025 Ratiranjan Behera - 2.4.8-1 - Upgrade gnupg2 to 2.4.8 for CVE-2025-30258 + * Mon Jun 23 2025 Kavya Sree Kaitepalli - 2.4.7-1 - Upgrade to version 2.4.7