Your message dated Mon, 15 Jun 2026 10:34:07 +0000
with message-id <[email protected]>
and subject line Bug#1136954: fixed in u-boot 2025.01-3.2
has caused the Debian Bug report #1136954,
regarding u-boot: CVE-2026-46728
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136954: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136954
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: u-boot
Version: 2025.01-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for u-boot.
CVE-2026-46728[0]:
| Das U-Boot before 2026.04 allows FIT (Flat Image Tree) signature
| verification bypass because hashed-nodes is omitted from a hash.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-46728
https://www.cve.org/CVERecord?id=CVE-2026-46728
[1]
https://github.com/u-boot/u-boot/commit/2092322b31cc8b1f8c9e2e238d1043ae0637b241
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: u-boot
Source-Version: 2025.01-3.2
Done: Andreas Henriksson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
u-boot, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Henriksson <[email protected]> (supplier of updated u-boot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 08 Jun 2026 14:48:23 +0200
Source: u-boot
Architecture: source
Version: 2025.01-3.2
Distribution: unstable
Urgency: high
Maintainer: Vagrant Cascadian <[email protected]>
Changed-By: Andreas Henriksson <[email protected]>
Closes: 1081557 1136954
Changes:
u-boot (2025.01-3.2) unstable; urgency=high
.
* Non-maintainer upload by the LTS Team.
* CVE-2024-42040 (Closes: #1081557)
* CVE-2026-46728 (Closes: #1136954)
Checksums-Sha1:
f5e38e2496ab543f8365aced5725cc6a92922812 4232 u-boot_2025.01-3.2.dsc
a139fcc9dc71549e98299dafec04a021bfe12f82 174928
u-boot_2025.01-3.2.debian.tar.xz
9cdf07cc5e07ed0c136ef17d3cd3646e23d063e8 8244
u-boot_2025.01-3.2_source.buildinfo
Checksums-Sha256:
91616d12ffa8dfcd098f98b5397ea08b9be30f79e9473d18684f1137fb141456 4232
u-boot_2025.01-3.2.dsc
de97388eddd65475e8904633ffd8997650736423d5926464b2660a1d6f7ab193 174928
u-boot_2025.01-3.2.debian.tar.xz
cdfd5f4f7ca22076d8f85b5c7a1b834c8748e5848c696396249183cbb5f2ef1a 8244
u-boot_2025.01-3.2_source.buildinfo
Files:
957bc3e7039134cbde3c6197f1212052 4232 admin optional u-boot_2025.01-3.2.dsc
8a7e024cce2226bcf607a2e778a283fb 174928 admin optional
u-boot_2025.01-3.2.debian.tar.xz
e7e6255d7241f096f4b948d1bf09165f 8244 admin optional
u-boot_2025.01-3.2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAmovykwACgkQC8R9xk0T
UwbnOBAApfVGFmqxZIJng4RctVCO2gLJd8fmLreopRRNPs0CObFRw+gvuCon+/8h
uxrzxUMg0Vf/OsUM1SZg43ESyp2/Mq62p0+ztWeq+YP9Qd5rhCSmOscAt9+DKr/A
Y5mxmOLEAjc88lU37m73bu7J/5vNE2uiHidHfn8b2eTUR3rEuFYOL36i3AkSdi2L
6/Ang3Du1lwA6KPtafTwX/KNzRc2whCRgEY/q/AMI98rssEh6bXlvF0GTtedTix9
3YEIMu5DOsE694Rw/ZYs3OHK89C7o1JRbGqaG3f1DZ7eh90Yt7kKpIqS6NXmo5KH
5jJBi6PTI2/vG86tQtp8I1L7dyJHwoim/54vmoYJsoMQzcFZXDpoQQh+wqidTn6/
BLEw8+Ltj9Fs5MSlQORokJ8UeoSyTDsagbmSvJXKuPD4mx21m1x/iV2/DXAVA8L5
rhQs6ps74v/9vmq9S15dtcPCb72PwqtvQ2o2Xll1JLumr7KIPy4BdNd7olyrQCk2
OPDEYBvcktFoiaJNiQNqv77SJEF4FT3GGqOfSm56uNe5ylHRFfLVWDgEwjCqWiyK
EFzwsfWoljItTtRA6ASAjcoUx7GjkXXZlgQ74J6iVPtDiYX/ZEwG38MsFMFavVQc
RLZN33Bk/YQPpftLydaYGqJhUcsQIFcJSmDj19cRWTLm++MC6e0=
=QHdy
-----END PGP SIGNATURE-----
pgpoREV_MU5Cj.pgp
Description: PGP signature
--- End Message ---
