Your message dated Wed, 04 Feb 2026 23:05:23 +0000
with message-id <[email protected]>
and subject line Bug#1126276: fixed in rekor 1.5.0-1
has caused the Debian Bug report #1126276,
regarding rekor: CVE-2026-24117
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126276: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126276
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rekor
Version: 1.4.3-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for rekor.
CVE-2026-24117[0]:
| Rekor is a software supply chain transparency log. In versions 1.4.3
| and below, attackers can trigger SSRF to arbitrary internal services
| because /api/v1/index/retrieve supports retrieving a public key via
| user-provided URL. Since the SSRF only can trigger GET requests, the
| request cannot mutate state. The response from the GET request is
| not returned to the caller so data exfiltration is not possible. A
| malicious actor could attempt to probe an internal network through
| Blind SSRF. The issue has been fixed in version 1.5.0. To workaround
| this issue, disable the search endpoint with
| --enable_retrieve_api=false.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-24117
https://www.cve.org/CVERecord?id=CVE-2026-24117
[1] https://github.com/sigstore/rekor/security/advisories/GHSA-4c4x-jm2x-pf9j
[2]
https://github.com/sigstore/rekor/commit/60ef2bceba192c5bf9327d003bceea8bf1f8275f
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rekor
Source-Version: 1.5.0-1
Done: Simon Josefsson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rekor, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Josefsson <[email protected]> (supplier of updated rekor package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 04 Feb 2026 23:10:05 +0100
Source: rekor
Architecture: source
Version: 1.5.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Simon Josefsson <[email protected]>
Closes: 1126275 1126276
Changes:
rekor (1.5.0-1) unstable; urgency=medium
.
* New upstream version
- Fix CVE-2026-23831 (Closes: #1126275)
- Fix CVE-2026-24117 (Closes: #1126276)
* Drop Priority: optional
* Standards-Version: 4.7.3
* Bump debian/* copyright years
Checksums-Sha1:
eee118a53ef3ddea7400c00e734c1b9c03c172dc 3581 rekor_1.5.0-1.dsc
75e578a3d4925f84bf00eb5c0b2f935773d1c7f4 565992 rekor_1.5.0.orig.tar.xz
7dc065b0f05614db711fff741f32ce6b28359d3c 5132 rekor_1.5.0-1.debian.tar.xz
6fe884de6cc515c82b70ce2101058242dce15862 1315048 rekor_1.5.0-1.git.tar.xz
321c27136236c2c6af6cd6444bdfedd43953abae 17286 rekor_1.5.0-1_source.buildinfo
Checksums-Sha256:
abf89dc5d317ef09fc04035b2cd6599225a45b0f3f29ff2a3bd3f82bdd839770 3581
rekor_1.5.0-1.dsc
112995dcadb270904ff80ba3cbea462951296cc00238c3d5376221c7268255de 565992
rekor_1.5.0.orig.tar.xz
28033150cee4b1fcd8063439498092491c2cb39b951988ad8077b9f73d93652e 5132
rekor_1.5.0-1.debian.tar.xz
b43109769a3e078491eb436a4534e1231c91e9f305d20bf3d01317ab9889a251 1315048
rekor_1.5.0-1.git.tar.xz
4b3ab798392c883b58bf32a00dc71beaccb00fb9736f26f0c1ad8625350885aa 17286
rekor_1.5.0-1_source.buildinfo
Files:
42ed6858e3da2997724eb1cd787da5cd 3581 golang optional rekor_1.5.0-1.dsc
44149b2b2b1fb766247b31dd0cfe1c5c 565992 golang optional rekor_1.5.0.orig.tar.xz
150753a4de159c08752c79369f6ce515 5132 golang optional
rekor_1.5.0-1.debian.tar.xz
2c0b6671085a5da60b1a7578a57725c3 1315048 golang None rekor_1.5.0-1.git.tar.xz
736852a627a1e745950b309d60b5691e 17286 golang optional
rekor_1.5.0-1_source.buildinfo
Git-Tag-Info: tag=1133d0464d3fcdeb9d376cc5dc4050cd05217d3b
fp=a3cc9c870b9d310abad4cf2f51722b08fe4745a2
Git-Tag-Tagger: Simon Josefsson <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmmDzVcACgkQYG0ITkaD
wHmHxxAAyhe1xM5dYxQmSTUvbFHyDAQnv/53j00y1H1r2oWXrW7YpT9DKtwgK6Hv
ehUAApL+/JdWbRnw4ZRg0mAAYT7WTSVpwlx/G6UezvVuLiYWjesNj2tqW/ibf36N
5c6tOD6HKg8rQxdl3xbc2kwc2jttyVQgShH4FkLx9LT69PA3NgVlSaI0hXbst6AH
4171EVxHCs3Jf2uW7/fAIhslma6sGWjwdqBn1SU8WKu13uoedOTjAe7x0DG3k8V2
qFTzjVpJTTCqyIiEukzmv7jX0KM/h2mPKom2tCaq3cT1RIoydSZcYO67yKkMCyr+
i07ZlJdBsgdLW/TNu45akC6cxLDBOUqfEFIvFFBHvCqhFQlF1O0GVzcrA1jDzq57
r5ZtpnJ2qCkbZg93kLFT0khmlZaGPUfRGCsm8935tpvVqaZfcVth02qevn7zVeSw
d/H0P4gKHtuy6SLK072fR1JnMiQ46IhySiQJx8wPtYyatYxwsBFvbVgW3yWOT5mW
EqPbZumEpb3fFe/K4kI8LUdSeJE2sBJK3m5/YVegQuwa60vRiHfIIL5zvYC8UGn0
ZF/4yr1TbsT4Z6I5zNnKQapT+odp9/rwEFGcIxJ+Pv9r/iXV7HE7Q5Awzwr2HTSZ
ZcmRBCNeLSerkOjOZl9DRv4U3HNXO9YOBS6KfHTLTrNmuijYZIs=
=EAJU
-----END PGP SIGNATURE-----
pgp9Nev3NySVL.pgp
Description: PGP signature
--- End Message ---
