Source: golang-github-go-git-go-git Version: 5.16.2-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for golang-github-go-git-go-git. CVE-2026-25934[0]: | go-git is a highly extensible git implementation library written in | pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git | whereby data integrity values for .pack and .idx files were not | properly verified. This resulted in go-git potentially consuming | corrupted files, which would likely result in unexpected errors such | as object not found. For context, clients fetch packfiles from | upstream Git servers. Those files contain a checksum of their | contents, so that clients can perform integrity checks before | consuming it. The pack indexes (.idx) are generated locally by go- | git, or the git cli, when new .pack files are received and | processed. The integrity checks for both files were not being | verified correctly. This vulnerability is fixed in 5.16.5. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-25934 https://www.cve.org/CVERecord?id=CVE-2026-25934 [1] https://github.com/go-git/go-git/security/advisories/GHSA-37cx-329c-33x3 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
