Your message dated Tue, 10 Mar 2026 14:34:11 +0000
with message-id <[email protected]>
and subject line Bug#1127844: fixed in golang-github-go-git-go-git 5.17.0-1
has caused the Debian Bug report #1127844,
regarding golang-github-go-git-go-git: CVE-2026-25934
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1127844: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127844
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-github-go-git-go-git
Version: 5.16.2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for golang-github-go-git-go-git.
CVE-2026-25934[0]:
| go-git is a highly extensible git implementation library written in
| pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git
| whereby data integrity values for .pack and .idx files were not
| properly verified. This resulted in go-git potentially consuming
| corrupted files, which would likely result in unexpected errors such
| as object not found. For context, clients fetch packfiles from
| upstream Git servers. Those files contain a checksum of their
| contents, so that clients can perform integrity checks before
| consuming it. The pack indexes (.idx) are generated locally by go-
| git, or the git cli, when new .pack files are received and
| processed. The integrity checks for both files were not being
| verified correctly. This vulnerability is fixed in 5.16.5.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-25934
https://www.cve.org/CVERecord?id=CVE-2026-25934
[1] https://github.com/go-git/go-git/security/advisories/GHSA-37cx-329c-33x3
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-github-go-git-go-git
Source-Version: 5.17.0-1
Done: Andrew Lee (李健秋) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-github-go-git-go-git, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrew Lee (李健秋) <[email protected]> (supplier of updated
golang-github-go-git-go-git package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 10 Mar 2026 14:46:14 +0100
Source: golang-github-go-git-go-git
Architecture: source
Version: 5.17.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Andrew Lee (李健秋) <[email protected]>
Closes: 1127844
Changes:
golang-github-go-git-go-git (5.17.0-1) unstable; urgency=medium
.
* Team upload.
* New upstream version 5.17.0.
- Fix CVE-2026-25934. (Closes: #1127844)
* debian/control: drop Priority: optional (now the default).
* debian/control: bump to Standards-version to 4.7.3.
* Drop fix-ftbfs.patch: included upstream.
* debian/control: new depends on golang-github-stretchr-testify-dev.
* debian/copyright: added myself.
* debian/control: bump depends on golang-github-go-git-go-billy-dev
(>= 5.8.0).
Checksums-Sha1:
5c420c7f7d6e33fbc6f7c58c54539d2146212314 3226
golang-github-go-git-go-git_5.17.0-1.dsc
932a39dcefcc6ae25444d277d6c418decdf4ed1b 560489
golang-github-go-git-go-git_5.17.0.orig.tar.gz
a00d9c89cefd25e8a9a5e855b804123cc217b147 7224
golang-github-go-git-go-git_5.17.0-1.debian.tar.xz
5c401d109ffc9885098c79d66e975a2cedaa797a 7054
golang-github-go-git-go-git_5.17.0-1_source.buildinfo
Checksums-Sha256:
306ccdc4f6398edd4c5846191af5e1da8f3f06675830a673e03353cbc825cfee 3226
golang-github-go-git-go-git_5.17.0-1.dsc
1e1ac6b8a3e060f55556782312b6ab6c93da317e398e3c555c2619822d484c33 560489
golang-github-go-git-go-git_5.17.0.orig.tar.gz
f2126efd50a1ab47e08afd62e922fc53632a52581ef304b70119a66fd488ed3d 7224
golang-github-go-git-go-git_5.17.0-1.debian.tar.xz
ebd16dd66ad5a8fa32f308ae88b1f5e3bc33935ab132eacb5a51126014870b76 7054
golang-github-go-git-go-git_5.17.0-1_source.buildinfo
Files:
66348a75d58de6754ec98877103d7c49 3226 golang optional
golang-github-go-git-go-git_5.17.0-1.dsc
703d9ea07f14744df8b9bad44b92e0cf 560489 golang optional
golang-github-go-git-go-git_5.17.0.orig.tar.gz
a67bc63a9814719cd423a8b9d10c85f3 7224 golang optional
golang-github-go-git-go-git_5.17.0-1.debian.tar.xz
e9eb59653e95f125e7deeb8eca79aa9f 7054 golang optional
golang-github-go-git-go-git_5.17.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE703UlH90QYpfEyJV58vhUqwX+XMFAmmwJCAACgkQ58vhUqwX
+XN7Qg//dG5QiSbQGH5foX+D32TqxFBqPtNl1q6eSbVj82N3mMm/V9K+0dYj9mXF
vXa0l59nteTsGofnsUoyfEPRqj9c0Hf7AhL8Bmq7xzUXZAIyhH4bTB2OkrL2feo6
/ouMtRLVm5gYDp+b/NJwCRSx0VPVHpvYBiOLvo9/HVfAZDvuOgDj25QsvbtGbCuG
TnSrzIBVwj0xB6sXqvWxeaEIvGw9QJGnDn3fMJO1W8QLPNXi2I8rxml+0cduG/pg
FQNLIG80NAKof3VeKGaIZ/trfiCXH4csatHGnzo7COUNalNbns68P32fYlHC+ShR
FYjBNoGJCRDykutJJcJlN0IBlmAHKM7wUmt8JC6vpuABDqWSZqZIVBAxj5PVie4j
bE56RNShHpbV0f8MxkVOOkrO+FVfst2qWK8x7TOhRwIjmsWj6QjO8b9+o6j93zW8
DK2SGYCmheDi2NgVlb8w8Oz1Z5HMdC2HD+GpBqTy0g5NDVcD64R+qdOB+sKoQvNR
c2Z0xZcBDRfrd4+b2zvZSEah6hdaZ4lQO2eJglpx/2X/2NVFY5U0EQ9CQhAusMI6
VtajEzmPMAamH/2o426dCkuodeoBaSGL9LFOW/XJdJcOJbAy3HxdvE/CdJ+vhw3O
v9xwa4E8NrrfccaXQTM/EUh9nbTXsSRP+4VsoIn7X6gTX+IrueM=
=pSdS
-----END PGP SIGNATURE-----
pgpu9BG8oA6Ao.pgp
Description: PGP signature
--- End Message ---
