Your message dated Wed, 24 Jun 2026 21:03:41 +0000
with message-id <[email protected]>
and subject line Bug#1136954: fixed in u-boot 2023.01+dfsg-2+deb12u3
has caused the Debian Bug report #1136954,
regarding u-boot: CVE-2026-46728
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136954: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136954
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: u-boot
Version: 2025.01-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for u-boot.
CVE-2026-46728[0]:
| Das U-Boot before 2026.04 allows FIT (Flat Image Tree) signature
| verification bypass because hashed-nodes is omitted from a hash.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-46728
https://www.cve.org/CVERecord?id=CVE-2026-46728
[1]
https://github.com/u-boot/u-boot/commit/2092322b31cc8b1f8c9e2e238d1043ae0637b241
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: u-boot
Source-Version: 2023.01+dfsg-2+deb12u3
Done: Andreas Henriksson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
u-boot, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Henriksson <[email protected]> (supplier of updated u-boot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 22 Jun 2026 10:38:07 +0200
Source: u-boot
Architecture: source
Version: 2023.01+dfsg-2+deb12u3
Distribution: bookworm-security
Urgency: high
Maintainer: Vagrant Cascadian <[email protected]>
Changed-By: Andreas Henriksson <[email protected]>
Closes: 1056750 1081557 1136954
Changes:
u-boot (2023.01+dfsg-2+deb12u3) bookworm-security; urgency=high
.
* Non-maintainer upload by the LTS Team.
* CVE-2024-42040: buffer overread vulnerability in the DHCP implementation.
(Closes: #1081557)
* CVE-2026-46728: mishandles use of unit addresses in a FIT.
(Closes: #1136954)
* Remove avr32 arch support removed in dpkg 1.22.0 (Closes: #1056750)
- now also leads to dak rejecting uploads even for older suites
Checksums-Sha1:
86f30ba3dd9cb837c677cd4f6a473b462c0fd6f2 3612 u-boot_2023.01+dfsg-2+deb12u3.dsc
f4b94556f10cf7ff07807c3b1390ee190ca8028c 15684556
u-boot_2023.01+dfsg.orig.tar.xz
46e9c22cf21e67c042807c11c3db08ff8628782b 61072
u-boot_2023.01+dfsg-2+deb12u3.debian.tar.xz
fef7f8a2e5030b90e48a841738c480e485f3bdc1 7580
u-boot_2023.01+dfsg-2+deb12u3_source.buildinfo
Checksums-Sha256:
baf9a1492456920ff66b00fdd19ce8c588261bc2698b4875c9f5fdcfb1332aae 3612
u-boot_2023.01+dfsg-2+deb12u3.dsc
e75da6f089d063aaef39a1c17f1631791d87700662624e18de2121fa39a1ed44 15684556
u-boot_2023.01+dfsg.orig.tar.xz
f9d96a5095d542d8732eccdabcd1d1e7eaaa832311ce395f78b8ead1fad9845e 61072
u-boot_2023.01+dfsg-2+deb12u3.debian.tar.xz
a2501d09017515b954db6ef97fa759f9f4c92427d95a681bcaee76008faa7f27 7580
u-boot_2023.01+dfsg-2+deb12u3_source.buildinfo
Files:
0140c302cae98ef622e0796884b3cfa5 3612 admin optional
u-boot_2023.01+dfsg-2+deb12u3.dsc
745c3ae196dd1c8b0128b600cd919741 15684556 admin optional
u-boot_2023.01+dfsg.orig.tar.xz
afb13f36a0329f555f342ef1dd413c3c 61072 admin optional
u-boot_2023.01+dfsg-2+deb12u3.debian.tar.xz
0653b9c80ab2a65b84aa1342cab8c226 7580 admin optional
u-boot_2023.01+dfsg-2+deb12u3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAmo49ZwACgkQC8R9xk0T
UwZSyw//VBb84ikd3+gJ9/AbET7NrNRG98BlbN5jWKPS8JSpuI6DfZ+WPVOSfHbF
qSoMOXY3QiZ9Xb/omFjipmmegpAJ+MZ1/vqT+AEflULU8KfiwMAyvr/7evnZ9mdv
3x6DfDWZ4emc+irBNdJZOVRQKHEfxSSVOxBYghptoMjFjQmI8asEZhIQoTVqshpn
fqsu7AAfD0r5u9cyj8GcP13qH8Lzb5SO2KxRcXZ29n9KqGN+oNBwj4xM3++TA/M8
g628TOV6b6h/fLbSH+HYnCKpChZ/2jaWYbaCbrAHS6beHl52JDiSoHwky7ar7+z1
DHGXGvAYWXREtIeImUj9RhTzLS9csmAGIGsBibFJ27GK2++w0dgbf2vsswN2cyrh
ybrSnC4nGunX9ZHs7109KIH3NlIFbOeMEvdO7jd+bvqMOczDwBnFGNwQZ0KuTfUb
7oDZZ2Y9n6n1zJsnwJliUAu8OydkfDIFiW1CrdCOJqdnrSS14a1+qvkYVDBwc9oq
QsszyuJppXhh9UfCrmxWbCL8PfC6VEABmgOfVX8jAkkjt0ZyOQPIaYGzfwTx7KFt
bQsbTdaoD78xBUnmbdNSe+zSpHRxKVYHF4Uq+1aFBluoIyWbUoB/zKyFg6Pp3VZd
c0Ww/kstwJWpVdZ/NwLraiZ2XE9Yrxz4ZjmMIqgRCPPmc7w00QI=
=feoF
-----END PGP SIGNATURE-----
pgpxrajyMM6E1.pgp
Description: PGP signature
--- End Message ---
