{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/rhel7els/vex/2025/cve-2025-30258-els_os-rhel7els.json" } ], "tracking": { "current_release_date": "2026-03-27T12:17:38Z", "generator": { "date": "2026-03-27T12:17:38Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2025-30258-ELS_OS-RHEL7ELS", "initial_release_date": "2025-03-19T20:15:00Z", "revision_history": [ { "date": "2025-03-19T20:15:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-03-26T12:37:59Z", "number": "2", "summary": "Official Publication" }, { "date": "2026-03-27T12:17:38Z", "number": "3", "summary": "Update document" } ], "status": "final", "version": "3" }, "title": "Security update on CVE-2025-30258" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux 7", "product": { "name": "Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7", "product_identification_helper": { "cpe": "cpe:2.3:o:redhat:enterprise_linux:7:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "gnupg2-0:2.0.22-5.el7_5.x86_64", "product": { "name": "gnupg2-0:2.0.22-5.el7_5.x86_64", "product_id": "gnupg2-0:2.0.22-5.el7_5.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/gnupg2@2.0.22-5.el7_5?arch=x86_64" } } }, { "category": "product_version", "name": "gnupg2-smime-0:2.0.22-5.el7_5.x86_64", "product": { "name": "gnupg2-smime-0:2.0.22-5.el7_5.x86_64", "product_id": "gnupg2-smime-0:2.0.22-5.el7_5.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/gnupg2-smime@2.0.22-5.el7_5?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "gnupg2-0:2.0.22-5.el7_5.tuxcare.els1.x86_64", "product": { "name": "gnupg2-0:2.0.22-5.el7_5.tuxcare.els1.x86_64", "product_id": "gnupg2-0:2.0.22-5.el7_5.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/gnupg2@2.0.22-5.el7_5.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "gnupg2-smime-0:2.0.22-5.el7_5.tuxcare.els1.x86_64", "product": { "name": "gnupg2-smime-0:2.0.22-5.el7_5.tuxcare.els1.x86_64", "product_id": "gnupg2-smime-0:2.0.22-5.el7_5.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/gnupg2-smime@2.0.22-5.el7_5.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "gnupg2-0:2.0.22-5.el7_5.tuxcare.els1.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:gnupg2-0:2.0.22-5.el7_5.tuxcare.els1.x86_64" }, "product_reference": "gnupg2-0:2.0.22-5.el7_5.tuxcare.els1.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "gnupg2-smime-0:2.0.22-5.el7_5.tuxcare.els1.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:gnupg2-smime-0:2.0.22-5.el7_5.tuxcare.els1.x86_64" }, "product_reference": "gnupg2-smime-0:2.0.22-5.el7_5.tuxcare.els1.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "gnupg2-0:2.0.22-5.el7_5.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:gnupg2-0:2.0.22-5.el7_5.x86_64" }, "product_reference": "gnupg2-0:2.0.22-5.el7_5.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "gnupg2-smime-0:2.0.22-5.el7_5.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:gnupg2-smime-0:2.0.22-5.el7_5.x86_64" }, "product_reference": "gnupg2-smime-0:2.0.22-5.el7_5.x86_64", "relates_to_product_reference": "Red-Hat-7" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-30258", "cwe": { "id": "CWE-754", "name": "Improper Check for Unusual or Exceptional Conditions" }, "notes": [ { "category": "description", "text": "In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a \"verification DoS.\"", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "Red-Hat-7:gnupg2-0:2.0.22-5.el7_5.tuxcare.els1.x86_64", "Red-Hat-7:gnupg2-0:2.0.22-5.el7_5.x86_64", "Red-Hat-7:gnupg2-smime-0:2.0.22-5.el7_5.tuxcare.els1.x86_64", "Red-Hat-7:gnupg2-smime-0:2.0.22-5.el7_5.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-30258" }, { "category": "external", "summary": "https://dev.gnupg.org/T7527", "url": "https://dev.gnupg.org/T7527" }, { "category": "external", "summary": "https://dev.gnupg.org/rG48978ccb4e20866472ef18436a32744350a65158", "url": "https://dev.gnupg.org/rG48978ccb4e20866472ef18436a32744350a65158" }, { "category": "external", "summary": "https://lists.gnupg.org/pipermail/gnupg-announce/2025q1/000491.html", "url": "https://lists.gnupg.org/pipermail/gnupg-announce/2025q1/000491.html" } ], "release_date": "2025-03-19T20:15:00Z", "remediations": [ { "category": "no_fix_planned", "details": "This is a local, high‑complexity verification DoS that only triggers if someone imports a maliciously crafted public certificate; it provides no confidentiality or integrity impact and does not enable code execution or privilege escalation. Systems that use fixed, curated keyrings for package or artifact verification—and do not import untrusted keys at runtime—do not meet the attack precondition, so normal workflows remain unaffected. Given the need for a deliberate malicious key import and the DoS‑only outcome, this can be safely deprioritized for managed enterprise VM/server fleets.", "product_ids": [ "Red-Hat-7:gnupg2-0:2.0.22-5.el7_5.tuxcare.els1.x86_64", "Red-Hat-7:gnupg2-0:2.0.22-5.el7_5.x86_64", "Red-Hat-7:gnupg2-smime-0:2.0.22-5.el7_5.tuxcare.els1.x86_64", "Red-Hat-7:gnupg2-smime-0:2.0.22-5.el7_5.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red-Hat-7:gnupg2-0:2.0.22-5.el7_5.tuxcare.els1.x86_64", "Red-Hat-7:gnupg2-0:2.0.22-5.el7_5.x86_64", "Red-Hat-7:gnupg2-smime-0:2.0.22-5.el7_5.tuxcare.els1.x86_64", "Red-Hat-7:gnupg2-smime-0:2.0.22-5.el7_5.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }