Your message dated Sat, 01 Nov 2025 07:04:23 +0000
with message-id <[email protected]>
and subject line Bug#1094409: fixed in golang-github-notaryproject-notation-go
1.3.2-1
has caused the Debian Bug report #1094409,
regarding golang-github-notaryproject-notation-go: CVE-2024-56138
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1094409: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094409
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-github-notaryproject-notation-go
Version: 1.2.1-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for
golang-github-notaryproject-notation-go.
CVE-2024-56138[0]:
| notion-go is a collection of libraries for supporting sign and
| verify OCI artifacts. Based on Notary Project specifications. This
| issue was identified during Quarkslab's audit of the timestamp
| feature. During the timestamp signature generation, the revocation
| status of the certificate(s) used to generate the timestamp
| signature was not verified. During timestamp signature generation,
| notation-go did not check the revocation status of the certificate
| chain used by the TSA. This oversight creates a vulnerability that
| could be exploited through a Man-in-The-Middle attack. An attacker
| could potentially use a compromised, intermediate, or revoked leaf
| certificate to generate a malicious countersignature, which would
| then be accepted and stored by `notation`. This could lead to denial
| of service scenarios, particularly in CI/CD environments during
| signature verification processes because timestamp signature would
| fail due to the presence of a revoked certificate(s) potentially
| disrupting operations. This issue has been addressed in release
| version 1.3.0-rc.2 and all users are advised to upgrade. There are
| no known workarounds for this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-56138
https://www.cve.org/CVERecord?id=CVE-2024-56138
[1]
https://github.com/notaryproject/notation-go/security/advisories/GHSA-45v3-38pc-874v
[2]
https://github.com/notaryproject/notation-go/commit/e7005a6d13e5ba472d4e166fbb085152f909e102
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-github-notaryproject-notation-go
Source-Version: 1.3.2-1
Done: Simon Josefsson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-github-notaryproject-notation-go, which is due to be installed in the
Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Josefsson <[email protected]> (supplier of updated
golang-github-notaryproject-notation-go package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 31 Oct 2025 18:48:39 +0100
Source: golang-github-notaryproject-notation-go
Architecture: source
Version: 1.3.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Simon Josefsson <[email protected]>
Closes: 1094409
Changes:
golang-github-notaryproject-notation-go (1.3.2-1) unstable; urgency=medium
.
[ Simon Josefsson ]
* Team upload.
* Upload to unstable.
* Use watch v5.
* New upstream version 1.3.2
* Drop Rules-Requires-Root: no.
* Standards-Version: 4.7.2.
* Bump debian/* copyright years.
* Add new variant of upstream copyright notices.
* Refresh patches.
* Bump version on B-D's.
* Fix executable-not-elf-or-script.
* Fix Forwarded: on patches.
.
[ Reinhard Tartler ]
* Also tighten dependends for the -dev package
.
golang-github-notaryproject-notation-go (1.2.1-5) experimental; urgency=medium
.
* fix: enable timestamping cert chain revocation check during signing (#482)
Closes: #1094409
* Bump dependency on golang-github-notaryproject-notation-core-go-dev
Checksums-Sha1:
895c48190f2feaee6c903ac8eca8e84b5b2d4196 3117
golang-github-notaryproject-notation-go_1.3.2-1.dsc
f6d24a61c7ed527b2a66335af4ac6804dcdbc75c 3485168
golang-github-notaryproject-notation-go_1.3.2.orig.tar.xz
395123fb52d0740b2f7b3f10d41aa0944e29ae29 4080
golang-github-notaryproject-notation-go_1.3.2-1.debian.tar.xz
3d09d945ec3fdad4657d0b4c6e6b15eb4fc64cce 3779444
golang-github-notaryproject-notation-go_1.3.2-1.git.tar.xz
df163933331dec5c7c65d81a40e0a6dc220d5b98 18346
golang-github-notaryproject-notation-go_1.3.2-1_source.buildinfo
Checksums-Sha256:
d08c2922c4334842cfc393509d0b2825fcd9ac31bd61d8e02b3b2eb6c1c0bc4e 3117
golang-github-notaryproject-notation-go_1.3.2-1.dsc
daf8954cb9eddd3fa04dbfdd9ec72a0bfd7b215b7d8e1269fc86e81b6cabf2db 3485168
golang-github-notaryproject-notation-go_1.3.2.orig.tar.xz
a40cb2f5ea6dde7bdd26fa777b5394d40b4101846e0d5e5d544997c8072e9f08 4080
golang-github-notaryproject-notation-go_1.3.2-1.debian.tar.xz
203c064086c53c2392ed92bfc4c39dbb8b07e8e781b537ae090f0f112aa9bdb1 3779444
golang-github-notaryproject-notation-go_1.3.2-1.git.tar.xz
08346c9e97ec6974a794cbb0fcbef95ad6a409af452ff4f855af4fe4648f0ad9 18346
golang-github-notaryproject-notation-go_1.3.2-1_source.buildinfo
Files:
f8888ffad9a4610a3efd37241b6ffaa6 3117 golang optional
golang-github-notaryproject-notation-go_1.3.2-1.dsc
33ca8e992462958abc08ac3c0b47d629 3485168 golang optional
golang-github-notaryproject-notation-go_1.3.2.orig.tar.xz
11bd6de1d9e9c57a2e0cee90b31d93fa 4080 golang optional
golang-github-notaryproject-notation-go_1.3.2-1.debian.tar.xz
fa5782bc28a65a79ff6fb1e253f878a7 3779444 golang optional
golang-github-notaryproject-notation-go_1.3.2-1.git.tar.xz
c4f450cbe8479dbd2c2ea72462d5c555 18346 golang optional
golang-github-notaryproject-notation-go_1.3.2-1_source.buildinfo
Git-Tag-Info: tag=74bda0ab65b6a8e54bd9b40b42d008b5f48ce697
fp=a3cc9c870b9d310abad4cf2f51722b08fe4745a2
Git-Tag-Tagger: Simon Josefsson <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmkFrJAACgkQYG0ITkaD
wHm/bBAAvX5ItSDjpHyDWg+DHyGES/zvUC5nNIpRO3YwVo5QqzSiMIkrfWTaxXVL
DvHNzTmdNNMkhuOKUWU1ZJ0qytOYCDrjMALthAva4SGzdiyD0ZIqRNpl1ZTmTRHw
dqHkPUm/1F7DcQwoGb4J/znbAt0nZ7bJUu1kkTelsEimP6VuPnGxZwXl5tmnAaIi
qN65gsSltGlITnJLmD7RjvJTwgVoYx/ev8NDzxXswcWkSGbQmkiCVHEYviLjivvH
LYO/txvugpKaPWpCxQfBD0dT3HfSfYvcwHjEK/0RbmXkqpQoSRnBZrrU0sgGQdJ0
w9yflq89OZaNKA8ofqQZ7aT2c1xhQ+ck3OknbtKMEU054QWN1fpf0h44jNuTAMrd
+eXElQtbJXxMxlYPITM/9SDRSR8GL7Pa8q0lzasmFlzqoMoKVYMS9n9IA5+XHncm
cV9HgTB/8OWfRk23E7deRqcf5M/glJ/NFjWV9piRLA3hIpjuRYe5QjUkgX7v13hC
l5bytQ7JrZeDVPDg9Z53cjV31SMqQlmw8kjvgWYVLdpqg7RVOOO3el0VzIcTfO4d
TXNjiDOxdyczYvzyUomoMg+bXnaIMDRimCI26RW3Dm7/HSuHCLxL9omdkYZTEavd
pTQY6AwO+UGHYTZSamP+HCRdMKDED7iUjmDim/RkgZ2PM4tugZs=
=wZz0
-----END PGP SIGNATURE-----
pgpYpm7m187QP.pgp
Description: PGP signature
--- End Message ---
