https://ubuntu.com/security/CVE-2025-30258#patch-details
"Patch details" lists all these patches!:

Upstream: https://dev.gnupg.org/rG48978ccb4e20866472ef18436a32744350a65158
Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=48978ccb4e20866472ef18436a32744350a65158
Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=d3d7713c1799754160260cb350309dd183b397f5
Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=25d748c3dfc0102f9e54afea59ff26b3969bd8c1
Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=9cd371b12d80cfc5bc85cb6e5f5eebb4decbe94f
Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=da0164efc7f32013bc24d97b9afa9f8d67c318bb
Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=1e581619bf5315957f2be06b3b1a7f513304c126
Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=4be25979a6b3e2a79d7c9667b07db8b09fb046e9

for each of which 'commitdiff' seems to show a patch.
Can we simply update M9 to the new version?

Assigning globally as different packagers maintain this SRPM.

Assignee: bugsquad => pkg-bugs

Suggested advisory:
========================

The updated package fixes a security vulnerability:

In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS". (CVE-2025-30258)

References:
https://ubuntu.com/security/notices/USN-7412-1
========================

Updated package in core/updates_testing:
========================
gnupg2-2.3.8-1.3.mga9

from SRPM:
gnupg2-2.3.8-1.3.mga9.src.rpm

Version: Cauldron => 9
Source RPM: gnupg2-2.4.5-5.mga10.src.rpm, gnupg2-2.3.8-1.2.mga9.src.rpm => gnupg2-2.3.8-1.2.mga9.src.rpm
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 2.5.5 and patch available from Ubuntu => (none)

MGA9-64 Plasma Wayland on Compaq H000SB.
No installation issues.
Ref bug 30591  for testing:
Created new pair in kleopatra, worked OK.
Then used kleopatra to encrypt a text file, renamed the resulting .gpg file and decrypted this one (avoiding to overwrite the orginal .txt file) and that all worked OK.
$ gpg2 --list-keys
/home/tester9/.gnupg/pubring.kbx
--------------------------------
pub   ed25519 2025-04-11 [SC] [expires: 2027-04-11]
      12E1350FA87C8E8D69ACB5BA1D01AFA901C47E49
uid           [ultimate] Tester9 <emailaddress>
sub   cv25519 2025-04-11 [E] [expires: 2027-04-11]

$ gpg2 --list-secret-keys
/home/tester9/.gnupg/pubring.kbx
--------------------------------
sec   ed25519 2025-04-11 [SC] [expires: 2027-04-11]
      12E1350FA87C8E8D69ACB5BA1D01AFA901C47E49
uid           [ultimate] Tester9 <emailaddress>
ssb   cv25519 2025-04-11 [E] [expires: 2027-04-11]
Looks OK.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

MGA9-32

gpg2 --list-keys
gpg2 --list-secret-keys
man gpg2
gpg2 --gen-key
gpg2 --fingerprint --keyid-format long

gpg2 -c systemd.txt
gpg2 -d systemd.txt.gpg

all of this worked as expected.

CC: (none) => brtians1
Whiteboard: MGA9-64-OK => MGA9-64-OK MGA9-32-OK

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0133.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED