CVE-2019-14855 is about Web of Trust forgeries using collisions in SHA-1 signatures. Given the required effort and the dimishing use of SHA-1 the impact is not very high. Nevertheless we will default in master to not accept SHA-1 key signature and in 2.2 we will not accept any new key signatures. Note that this renders dsa1024 keys useless for the Web-of-Trust.
I am currently investigating the issue known as CVE-2019-14855 for Debian's LTS version Debian 8 "Jessie" and even Debian 7 "Wheezy".
Could you tell us more about the impact and if earlier versions of gnupg are affected? It appears no backports were made for < 2.2.x as the 1.4 series.
The change appears to change previous default behavior of gnupg. Does it make even sense to attempt a backport of the fixes?
What commits do exactly fix CVE-2019-14855? We currently believe that
are related but we are not sure if there are more commits which are required to fix CVE-2019-14855.
Thanks for all your work on GnuPG
FWIW, the second listed commit is the right one. You should only look at the STABLE-STABLE-2-2 branch. master and that branch differ; in particular we do not have a cut-off date in master (to be 2.3).