Bug#1128618: marked as done (golang-filippo-edwards25519: CVE-2026-26958)

[Debian Bug Tracking System]

Your message dated Fri, 20 Mar 2026 10:13:19 +0000
with message-id <e1w3wr1-0000000fevf-3...@fasolo.debian.org>
and subject line Bug#1128618: fixed in golang-filippo-edwards25519 1.2.0-1
has caused the Debian Bug report #1128618,
regarding golang-filippo-edwards25519: CVE-2026-26958
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1128618: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128618
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: golang-filippo-edwards25519
Version: 1.0.0~rc1+git20210721-0.1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for golang-filippo-edwards25519.

CVE-2026-26958[0]:
| filippo.io/edwards25519 is a Go library implementing the
| edwards25519 elliptic curve with APIs for building cryptographic
| primitives. In versions 1.1.0 and earlier, MultiScalarMult produces
| invalid results or undefined behavior if the receiver is not the
| identity point. If (*Point).MultiScalarMult is called on an
| initialized point that is not the identity point, it returns an
| incorrect result. If the method is called on an uninitialized point,
| the behavior is undefined. In particular, if the receiver is the
| zero value, MultiScalarMult returns an invalid point that compares
| Equal to every other point. Note that MultiScalarMult is a rarely
| used, advanced API. For example, users who depend on
| filippo.io/edwards25519 only through github.com/go-sql-driver/mysql
| are not affected. This issue has been fixed in version 1.1.1.

As described from upstream, MultiScalarMult is a rearely used,
advanced API. But I noticed that we have the same version across
bookworm up to unstable, it might be a good idea to rebase unstable's
version for aim to include in forky to a recent version.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-26958
    https://www.cve.org/CVERecord?id=CVE-2026-26958
[1] 
https://github.com/FiloSottile/edwards25519/security/advisories/GHSA-fw7p-63qq-7hpr
[2] 
https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: golang-filippo-edwards25519
Source-Version: 1.2.0-1
Done: Simon Josefsson <si...@josefsson.org>

We believe that the bug you reported is fixed in the latest version of
golang-filippo-edwards25519, which is due to be installed in the Debian FTP 
archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1128...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon Josefsson <si...@josefsson.org> (supplier of updated 
golang-filippo-edwards25519 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 20 Mar 2026 09:45:59 +0100
Source: golang-filippo-edwards25519
Architecture: source
Version: 1.2.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Simon Josefsson <si...@josefsson.org>
Closes: 1128618
Changes:
 golang-filippo-edwards25519 (1.2.0-1) unstable; urgency=medium
 .
   * Team upload
 .
   [ Martin Dosch ]
   * New upstream version 1.1.0.
   * d/control: Bump Standards-Version to 4.7.0 (no changes necessary).
   * d/control: Set 'Multi-Arch: foreign'.
   * d/copyright: Fix several issues.
 .
   [ Simon Josefsson ]
   * New upstream version 1.2.0
     - Fix CVE-2026-26958 (Closes: #1128618)
   * Use watch v5
   * Use gbp upstream-vcs-tag
   * Drop Priority: optional
   * Drop Rules-Requires-Root: no
   * Standards-Version: 4.7.3
   * Use dh-sequence-golang
   * Bump debian/* copyright years
   * Improve d/copyright
Checksums-Sha1:
 fbe79bf8aa812f827bb816d11f4e187c1738b646 2498 
golang-filippo-edwards25519_1.2.0-1.dsc
 3c07f4250be1113da7f8ca60e934391de359a02f 36868 
golang-filippo-edwards25519_1.2.0.orig.tar.xz
 414248203b03d49c51dfa291da4c6bbb29c75149 3220 
golang-filippo-edwards25519_1.2.0-1.debian.tar.xz
 e7121429c5ae23b4f0cab94d21d4301d1962740c 119812 
golang-filippo-edwards25519_1.2.0-1.git.tar.xz
 1b3f2768cd0a04efb7a2fadb928430e28e94a0c4 17411 
golang-filippo-edwards25519_1.2.0-1_source.buildinfo
Checksums-Sha256:
 046576d92ab74518ccc1fba6cc180bd8d7028dd147b4e6fc2bff16c4645bc9ee 2498 
golang-filippo-edwards25519_1.2.0-1.dsc
 2b00204aab5a6f42ed29c063477b487545e81b91ed5f0eef8426d5054f35363f 36868 
golang-filippo-edwards25519_1.2.0.orig.tar.xz
 2648a86330b1ad36d435bd8760adac7b1dd81eb89dd7d8264fceb3522d340ef8 3220 
golang-filippo-edwards25519_1.2.0-1.debian.tar.xz
 01c348834ab4b240fa627027e64c6ffbe732deb35a30e7261d6af7627f239a1d 119812 
golang-filippo-edwards25519_1.2.0-1.git.tar.xz
 a4d71496e4350bcef5b4163ea00fbb2a7855060941c4997e6568603e467b176b 17411 
golang-filippo-edwards25519_1.2.0-1_source.buildinfo
Files:
 d98925f322ce2ad301eb4586e1afdf68 2498 golang optional 
golang-filippo-edwards25519_1.2.0-1.dsc
 e27d781ea8293e7e69899bc32cef258e 36868 golang optional 
golang-filippo-edwards25519_1.2.0.orig.tar.xz
 08cf7d39c7c91fecb1fecf268369f0d9 3220 golang optional 
golang-filippo-edwards25519_1.2.0-1.debian.tar.xz
 541b3f69efeeff754436d4963c7682a1 119812 golang None 
golang-filippo-edwards25519_1.2.0-1.git.tar.xz
 6f56fd1f70239190691d43c4b608ff00 17411 golang optional 
golang-filippo-edwards25519_1.2.0-1_source.buildinfo
Git-Tag-Info: tag=00221f6046e03d53b271fa44b11050d44de0f75a 
fp=a3cc9c870b9d310abad4cf2f51722b08fe4745a2
Git-Tag-Tagger: Simon Josefsson <si...@josefsson.org>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmm9FI0ACgkQYG0ITkaD
wHl0Fg//RTAzNcoeadZTk9YpphVbyjZxfxrI3UFr7eO83zRnf7pY2Y8zMBXL6MJb
YzFqV1FO7Wxy+w3jtlK2lujs56L/ID1VWKMLqQKVoaPgJu+pRTlUWZF1nYhvSnM9
Y2FuMO5yXe4SXqrL8I8w1acQ+LasqcTdo0917YrQ0uasvp0iZkGARBPk/hcvoipB
GAy/97prvSkLVxMGOfb6qDobyoXSkZ0FQ2Ve1T56Emx6Yylo2M02Xx5nMi9dbnBT
Yze4ZjjS0kM66foigbBjb6T2xju9q38QA0mBxq10lst64n3RQ1yATGjZx2A4MR2H
ZLIbrkhedtdJxRBcSiVG7EvoYiChdrPnBAtAualcjdCJPznCXf118f9gI5VrG2Z/
iSAK3pEDuwDsc6G3xV/C+5shk6sZ6x+mX41Ud0eEF9smUW4heQv+49Qv6qerFqXm
n+eAqwmQt0mThFheCFuZde/sRvtjg8v26TlaEqwg0hXXhodOeHAhXJxfmehsYj2W
mOt2XE3n7JkHqG8qektJjkZ+NHUD8uKgGRwmZkZkw+fVh4MTCnT3YOBZuBhnNhAx
FLpqPEYW/17Lr0vJ6dNqNLUsRr9v0IuJW7PoHP6c9b7cszuqTin+Jt8UcuOU2vm6
818gX7hiOGToXLmrmJuE4MoYBDtTRFyp77M6r4/PpSK+yMFNIDE=
=s+ey
-----END PGP SIGNATURE-----

pgpmmaUsTy4Bx.pgp
Description: PGP signature

--- End Message ---