Source: golang-github-theupdateframework-go-tuf Version: 2.3.0+0.7.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for golang-github-theupdateframework-go-tuf. CVE-2026-23992[0]: | go-tuf is a Go implementation of The Update Framework (TUF). | Starting in version 2.0.0 and prior to version 2.3.1, a compromised | or misconfigured TUF repository can have the configured value of | signature thresholds set to 0, which effectively disables signature | verification. This can lead to unauthorized modification to TUF | metadata files is possible at rest, or during transit as no | integrity checks are made. Version 2.3.1 fixes the issue. As a | workaround, always make sure that the TUF metadata roles are | configured with a threshold of at least 1. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-23992 https://www.cve.org/CVERecord?id=CVE-2026-23992 [1] https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-fphv-w9fq-2525 [2] https://github.com/theupdateframework/go-tuf/commit/b38d91fdbc69dfe31fe9230d97dafe527ea854a0 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
