Amazon Linux 2023 Security Advisory: ALAS2023-2025-1107
Advisory Released Date: 2025-08-08
Advisory Updated Date: 2025-08-08
In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."
Exploitation of this vulnerability requires the customer to manually import a crafted certificate containing fingerprints that will then be used to verify signatures. Considering the tradeoff between the stability of Amazon Linux and the exploitation complexity of CVE-2025-30258, a fix will not be provided for gnupg2 in Amazon Linux 2 at this time. Users are advised to mitigate this issue by not importing suspicious GPG certificates and deleting any malicious keys from their keyrings. (CVE-2025-30258)
Affected Packages:
gnupg2
Issue Correction:
Run dnf update gnupg2 --releasever 2023.8.20250808 or dnf update --advisory ALAS2023-2025-1107 --releasever 2023.8.20250808 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
aarch64:
gnupg2-minimal-debuginfo-2.3.7-1.amzn2023.0.5.aarch64
gnupg2-minimal-2.3.7-1.amzn2023.0.5.aarch64
gnupg2-smime-debuginfo-2.3.7-1.amzn2023.0.5.aarch64
gnupg2-smime-2.3.7-1.amzn2023.0.5.aarch64
gnupg2-debuginfo-2.3.7-1.amzn2023.0.5.aarch64
gnupg2-debugsource-2.3.7-1.amzn2023.0.5.aarch64
gnupg2-2.3.7-1.amzn2023.0.5.aarch64
src:
gnupg2-2.3.7-1.amzn2023.0.5.src
x86_64:
gnupg2-minimal-debuginfo-2.3.7-1.amzn2023.0.5.x86_64
gnupg2-smime-debuginfo-2.3.7-1.amzn2023.0.5.x86_64
gnupg2-minimal-2.3.7-1.amzn2023.0.5.x86_64
gnupg2-smime-2.3.7-1.amzn2023.0.5.x86_64
gnupg2-debugsource-2.3.7-1.amzn2023.0.5.x86_64
gnupg2-debuginfo-2.3.7-1.amzn2023.0.5.x86_64
gnupg2-2.3.7-1.amzn2023.0.5.x86_64