Control: retitle -1 tkeyclient: Error in Protocol Implementation (CVE-2026-32953)
Hi Simon, On Mon, Mar 16, 2026 at 10:56:51PM +0100, Simon Josefsson wrote: > Package: golang-github-tillitis-tkeyclient > Version: 1.2.0-2 > X-Debbugs-CC: [email protected] > Tags: security > > This is a bug to track the security vulnerability described here: > > https://github.com/tillitis/tkeyclient/security/advisories/GHSA-4w7r-3222-8h6v > > I have uploaded 1.3.0-1 before being asked to open a bug report about > the problem, so I can't close this bug report with the upload that fixes > it, but will mark the bug as fixed with 1.3.0-1. > > This library is used by 'tkey-ssh-agent' which I will upload next. The > new upstream version makes use of new features in tkeyclient to > implement upstream's recommended upgrade path to deal with the security > problem. > > As far as I know, no CVE has been associated with this yet, but upstream > (and I) hang out in #tillitis on Matrix/OFTC and I've asked if they want > a CVE allocated, but no reply yet. A CVE has been assigned for this issue, it is CVE-2026-32953. I do not see it yet published on MITRE, but the GHSA has it already. Thanks again for the IRC heads-up! Regards, Salvatore
