Your message dated Tue, 26 May 2026 16:05:43 +0000
with message-id <[email protected]>
and subject line Bug#1136095: fixed in golang-github-go-git-go-git 5.19.1-1
has caused the Debian Bug report #1136095,
regarding golang-github-go-git-go-git: CVE-2026-41506
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136095: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136095
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-github-go-git-go-git
Version: 5.17.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for golang-github-go-git-go-git.
CVE-2026-41506[0]:
| go-git is an extensible git implementation library written in pure
| Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP
| authentication credentials when following redirects during smart-
| HTTP clone and fetch operations. This issue has been patched in
| versions 5.18.0 and 6.0.0-alpha.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-41506
https://www.cve.org/CVERecord?id=CVE-2026-41506
[1] https://github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963
[2]
https://github.com/go-git/go-git/commit/bcd20a9c525826081262a06a9ed9c3167abfcd53
Please adjust the affected versions in the BTS as needed.
Regards,
salvatore
--- End Message ---
--- Begin Message ---
Source: golang-github-go-git-go-git
Source-Version: 5.19.1-1
Done: Simon Josefsson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-github-go-git-go-git, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Josefsson <[email protected]> (supplier of updated
golang-github-go-git-go-git package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 26 May 2026 16:49:50 +0200
Source: golang-github-go-git-go-git
Architecture: source
Version: 5.19.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Simon Josefsson <[email protected]>
Closes: 1136095
Changes:
golang-github-go-git-go-git (5.19.1-1) unstable; urgency=medium
.
* Team upload
* New upstream (Closes: #1136095)
- CVE-2026-41506
* Use gbp sign-tags and upstream-vcs-tag
* Use dh-sequence-golang
* Bump debian/* copyright years
* Add B-D on gpg/gpg-agent for checks
* Pin watch to v5 for now
Checksums-Sha1:
b552e9e204fadc9cb25d0ea13e88b4f2a5882944 3564
golang-github-go-git-go-git_5.19.1-1.dsc
2b95080af7e81f2fb8517e96c3f49ce76465abcd 459336
golang-github-go-git-go-git_5.19.1.orig.tar.xz
d260d59650361a5e640413b7b4fa0b28f33eb202 7380
golang-github-go-git-go-git_5.19.1-1.debian.tar.xz
8c66e39da7ddc9218e1412f699d7c22338458246 1100740
golang-github-go-git-go-git_5.19.1-1.git.tar.xz
7221fdc658d9df1096743b536e197570b3eb9e5b 17506
golang-github-go-git-go-git_5.19.1-1_source.buildinfo
Checksums-Sha256:
8da088ead5e986b7fdcdad5240698d91b1a6076d6b7ef035c1a5671287f4dc38 3564
golang-github-go-git-go-git_5.19.1-1.dsc
54e29619fe3411ef0a20f70a88771eabf57a2b0a81b1c955d055a4b5e76d54a1 459336
golang-github-go-git-go-git_5.19.1.orig.tar.xz
ff7c050b527cba36cc115ac49342cd7702b8f574216f69049dbf28967a0df48e 7380
golang-github-go-git-go-git_5.19.1-1.debian.tar.xz
75cf51933439d90f09d5bd7049c111f2defb28536adc9a6a4de9a3692ef4c27e 1100740
golang-github-go-git-go-git_5.19.1-1.git.tar.xz
0d6c6e089274c3a4c3ba8a6c24c70c180bed87bdc3824ea1eb16cff3e8c536a2 17506
golang-github-go-git-go-git_5.19.1-1_source.buildinfo
Files:
8ad71445d11eb6ae48aa345791055296 3564 golang optional
golang-github-go-git-go-git_5.19.1-1.dsc
5c99d69dd56ada62eedb638cb252fff9 459336 golang optional
golang-github-go-git-go-git_5.19.1.orig.tar.xz
b87950591e956885d58bb6ef97d0ffb9 7380 golang optional
golang-github-go-git-go-git_5.19.1-1.debian.tar.xz
23cf254f5f4f995166f58ffef1524d11 1100740 golang None
golang-github-go-git-go-git_5.19.1-1.git.tar.xz
067754c7659a41b6309a53e669d9008a 17506 golang optional
golang-github-go-git-go-git_5.19.1-1_source.buildinfo
Git-Tag-Info: tag=7fdfaf233588bfec29e35825a481d47e22b3d9af
fp=a3cc9c870b9d310abad4cf2f51722b08fe4745a2
Git-Tag-Tagger: Simon Josefsson <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmoVv+8ACgkQYG0ITkaD
wHl0Rg//dKVC6PHcmURVY0fg+i5o/xX7a2mqsBrzZSmPVRsn5DaDki7y3OO+i3ln
HZ/Mn8ci8PD+9LLv19Dy0WsPwuxvMytzvkOBVQSUvh/l/SCZXLWHZgRA7IhHv4fF
JSSyK4OqoSwlwoNIWHfKcKnMXPp1TwyPCX+iD0ChcnHa2J5W0mf2sEL5kz17P4ll
zYGThfF8QSIuq6l3pIk9FK5s5aTY62ZE18mKfls0OIINn9NDReztAoK5M439OMiM
YMNzI1UJRAbzY/DMfbKYOwc+IYs3EtGhGYUHbu2YNy+ANGnm6Jq9EbT221zryww7
RUQ0RoSZUmN8ocR7AI9cN7B2oBsUg+qxrsTApk/zYHCNZQEFpiH7mqbVahDjG6DT
YfVg4+A3HQPP+e1yq+xID4mCMvnPqRX3VVMlbmOVLpHGH+TUO4V/sfbu0btTAms4
BrT6gye9nVu57YXWz7Yylyy9h4iYqdhPYjomq6spXPrXD6VJhlHEXwaE+VzSAntO
qS267PoFDEdtQ5sY6dQSGC9Cx+xbN/Lf9MlYT1brP+BmRNFvlU/ftQ9ApVBCFUhi
3YU/MUaWeCxGI4A2lJGZh0qzSYmI4rJTlaZW4xMaA2JJHIANBqCY64LoJM9n4ljY
l/F7Nfp85pOzhubNHIwveEljpj+zTDDPVowKrYf4TKCtafxQLmQ=
=GpEI
-----END PGP SIGNATURE-----
pgpTNaoXeOjaS.pgp
Description: PGP signature
--- End Message ---
