Bug#1126271: marked as done (golang-github-theupdateframework-go-tuf: CVE-2026-23992)

[Debian Bug Tracking System]

Your message dated Thu, 19 Mar 2026 22:39:43 +0000
with message-id <e1w3m1n-0000000dhqb-2...@fasolo.debian.org>
and subject line Bug#1126271: fixed in golang-github-theupdateframework-go-tuf 
2.4.1+0.7.0-1
has caused the Debian Bug report #1126271,
regarding golang-github-theupdateframework-go-tuf: CVE-2026-23992
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1126271: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126271
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: golang-github-theupdateframework-go-tuf
Version: 2.3.0+0.7.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for 
golang-github-theupdateframework-go-tuf.

CVE-2026-23992[0]:
| go-tuf is a Go implementation of The Update Framework (TUF).
| Starting in version 2.0.0 and prior to version 2.3.1, a compromised
| or misconfigured TUF repository can have the configured value of
| signature thresholds set to 0, which effectively disables signature
| verification. This can lead to unauthorized modification to TUF
| metadata files is possible at rest, or during transit as no
| integrity checks are made. Version 2.3.1 fixes the issue. As a
| workaround, always make sure that the TUF metadata roles are
| configured with a threshold of at least 1.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-23992
    https://www.cve.org/CVERecord?id=CVE-2026-23992
[1] 
https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-fphv-w9fq-2525
[2] 
https://github.com/theupdateframework/go-tuf/commit/b38d91fdbc69dfe31fe9230d97dafe527ea854a0

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: golang-github-theupdateframework-go-tuf
Source-Version: 2.4.1+0.7.0-1
Done: Simon Josefsson <si...@josefsson.org>

We believe that the bug you reported is fixed in the latest version of
golang-github-theupdateframework-go-tuf, which is due to be installed in the 
Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1126...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon Josefsson <si...@josefsson.org> (supplier of updated 
golang-github-theupdateframework-go-tuf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 19 Mar 2026 22:47:54 +0100
Source: golang-github-theupdateframework-go-tuf
Architecture: source
Version: 2.4.1+0.7.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Simon Josefsson <si...@josefsson.org>
Closes: 1126269 1126271 1126581
Changes:
 golang-github-theupdateframework-go-tuf (2.4.1+0.7.0-1) unstable; 
urgency=medium
 .
   * New upstream release
     - Fix CVE-2026-23991 (Closes: #1126269)
     - Fix CVE-2026-23992 (Closes: #1126271)
     - Fix CVE-2026-24686 (Closes: #1126581)
   * Use gbp sign-tags and upstream-vcs-tag
   * Drop Priority: optional
   * Bump debian/* copyright years
Checksums-Sha1:
 7ec3bec60eaaf62334024fbccd700015ab5097bf 3038 
golang-github-theupdateframework-go-tuf_2.4.1+0.7.0-1.dsc
 0859e33960ea0481b51ea105b32d7d4558ed152f 514996 
golang-github-theupdateframework-go-tuf_2.4.1+0.7.0.orig.tar.xz
 8f8d955002dc48e79e9462f1e450f449cf19cd96 5056 
golang-github-theupdateframework-go-tuf_2.4.1+0.7.0-1.debian.tar.xz
 d8b16c04e407c3a0bbc2c41102f86a0c59fde3a4 881276 
golang-github-theupdateframework-go-tuf_2.4.1+0.7.0-1.git.tar.xz
 df0115f7dcb81072389dccae634c5ed83d15e481 17483 
golang-github-theupdateframework-go-tuf_2.4.1+0.7.0-1_source.buildinfo
Checksums-Sha256:
 bd87739858ac6bb0c31f0514d5808903eccbb6b05994b79f739bb6ed6ff561bb 3038 
golang-github-theupdateframework-go-tuf_2.4.1+0.7.0-1.dsc
 a2e4b96b5febcb9f2dad727faea3379e85898bc549f96b233c9a2125b42d0b36 514996 
golang-github-theupdateframework-go-tuf_2.4.1+0.7.0.orig.tar.xz
 78f6ce3f1f62767ed432c97790ae84b24c70255f57697ddc669accf83bd625b2 5056 
golang-github-theupdateframework-go-tuf_2.4.1+0.7.0-1.debian.tar.xz
 b855a45d1f7c97eaf6c725c8dbf03b8f567d913d0def35df4a02d6ca0b04fd01 881276 
golang-github-theupdateframework-go-tuf_2.4.1+0.7.0-1.git.tar.xz
 c430e9fc11ea6baf7405f1a6857f7b57f6767bd4502d5f6873030624634c2667 17483 
golang-github-theupdateframework-go-tuf_2.4.1+0.7.0-1_source.buildinfo
Files:
 e5b5cb67bbba931335c24a3ed915345b 3038 golang optional 
golang-github-theupdateframework-go-tuf_2.4.1+0.7.0-1.dsc
 955252fa33d09b56ec02f0b0db675007 514996 golang optional 
golang-github-theupdateframework-go-tuf_2.4.1+0.7.0.orig.tar.xz
 2f9fdc91061b03c7aef69fb9fe2a7bad 5056 golang optional 
golang-github-theupdateframework-go-tuf_2.4.1+0.7.0-1.debian.tar.xz
 df84f9bd2acf64fdd3e0f073a6a7984d 881276 golang None 
golang-github-theupdateframework-go-tuf_2.4.1+0.7.0-1.git.tar.xz
 dc5da307eefcbd6e24f9a899c22373d5 17483 golang optional 
golang-github-theupdateframework-go-tuf_2.4.1+0.7.0-1_source.buildinfo
Git-Tag-Info: tag=17d2d7391c3a8e64a3d0e26658995cfbe719eca9 
fp=a3cc9c870b9d310abad4cf2f51722b08fe4745a2
Git-Tag-Tagger: Simon Josefsson <si...@josefsson.org>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmm8dzAACgkQYG0ITkaD
wHmXaRAAkC/eheBB6mOD8jOFOSVb3D6Eu6LjmrxmB3bA8zGdKuE+7I1ia1iEmB7I
PHGpplWrJbCodzAkS5jeqPQy1aXsIKwB5XnbEHih8PU5ZhoD1Zq8ui+nyyCD7csn
2pct/5dsQI7FAj7q7HwrOncLEjqQSWy271QbA2ZYD9zWHEHTwcx6Lx1X9qsimm0y
stjVwJFsRD1YxwVNXTDM+wxOzTd5DDsvlfP8oM/b2Px8lGiVpQsUY3909XlGnuuT
mV8mQqMK7lVrDn8WsRdt6I+OySrlMCPzZI69k6az6ZpdL+KmkScy6EF2hbVHW4xz
Ci8u6304b5mPrNNyinH+ydW7JnKbjlEccnQinrp2cueqErcSNtW3l1mN1A3NPWi5
P2Dv8uUAt60DbnC9eKhTKMdcj6wjogJfVpfukm6jJ6LJMmspbPqWhDVdnFrb7yma
eKbeHBmsAdr/kywC4z63mfkCy22Ew9iiyIj3uHSflkUqix3GXSyYyRsLXIO8z8Qn
7eYBcIEcoleSEUVYsuEKE/SRM6sGiKHppCQKgfj55UxXVKiV6Cyk2zAJCfW1+hKU
ovMPP2bBghDzOJ8VOPSx051ZWO91aukW67Vf9gTnAAhNP1+NPiVE5xkg2gg9SZPo
eI4cyYuiCefGcMeTd5eTVURbgwLbh9XUAiHSjPwx+eaZ4wls3X8=
=DsM5
-----END PGP SIGNATURE-----

pgpGgT1o0PntO.pgp
Description: PGP signature

--- End Message ---