A critical GnuPG security update

There is a new GnuPG update for a “critical security bug” in recent
GnuPG releases.

A crafted CMS (S/MIME) EnvelopedData message carrying an oversized
wrapped session key can cause a stack buffer overflow in gpg-agent
during the PKDECRYPT–kem=CMS handling. This can easily be used
for a DoS but, worse, the memory corruption can very likley also be
used to mount a remote code execution attack. The bug was
introduced while changing an internal API to the FIPS required KEM
API.

Only versions 2.5.13 through 2.5.16 are affected.