Source: gittuf Version: 0.12.0-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for gittuf. CVE-2026-44544[0]: | gittuf is a platform-agnostic Git security system. Prior to 0.14.0, | an attacker with push access to gittuf's Reference State Log (RSL) | can roll back the current policy to any previous policy trusted by | the current set of root keys. gittuf determines the policy to load | by inspecting the RSL. Except for the very first policy (which is | automatically trusted given gittuf's TOFU model, or verified against | manually specified keys), whenever an RSL entry that points to a new | policy is encountered, gittuf validates that this policy is trusted. | This is done by checking that the new policy’s root metadata is | signed by the required threshold of the current policy's root keys. | Because of this, an attacker with push access to the RSL may create | a new entry that references an old policy (that is trusted by the | most recent policy's set of root keys), thereby rolling back | gittuf's policy to the attacker's chosen state. This vulnerability | is fixed in 0.14.0. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-44544 https://www.cve.org/CVERecord?id=CVE-2026-44544 [1] https://github.com/gittuf/gittuf/security/advisories/GHSA-vxvc-cg7j-rwqj Please adjust the affected versions in the BTS as needed. Regards, Salvatore
