From the 256 release notes: """ * CVE-2024-25711: Use a determistic name when extracting content from GPG artifacts instead of trusting the value of gpg's --use-embedded-filenames. This prevents a potential information disclosure vulnerability that could have been exploited by providing a specially-crafted GPG file with an embedded filename of, say, "../../.ssh/id_rsa". Many thanks to Daniel Kahn Gillmor <dkg> for reporting this issue and providing feedback. (Closes: reproducible-builds/diffoscope#361) """
Created diffoscope tracking bugs for this issue: Affects: fedora-all [bug 2264736]