Your message dated Sun, 01 Jun 2025 12:49:50 +0000
with message-id <e1uli8m-00401l...@fasolo.debian.org>
and subject line Bug#1094409: fixed in golang-github-notaryproject-notation-go
1.2.1-5
has caused the Debian Bug report #1094409,
regarding golang-github-notaryproject-notation-go: CVE-2024-56138
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1094409: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094409
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: golang-github-notaryproject-notation-go
Version: 1.2.1-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for
golang-github-notaryproject-notation-go.
CVE-2024-56138[0]:
| notion-go is a collection of libraries for supporting sign and
| verify OCI artifacts. Based on Notary Project specifications. This
| issue was identified during Quarkslab's audit of the timestamp
| feature. During the timestamp signature generation, the revocation
| status of the certificate(s) used to generate the timestamp
| signature was not verified. During timestamp signature generation,
| notation-go did not check the revocation status of the certificate
| chain used by the TSA. This oversight creates a vulnerability that
| could be exploited through a Man-in-The-Middle attack. An attacker
| could potentially use a compromised, intermediate, or revoked leaf
| certificate to generate a malicious countersignature, which would
| then be accepted and stored by `notation`. This could lead to denial
| of service scenarios, particularly in CI/CD environments during
| signature verification processes because timestamp signature would
| fail due to the presence of a revoked certificate(s) potentially
| disrupting operations. This issue has been addressed in release
| version 1.3.0-rc.2 and all users are advised to upgrade. There are
| no known workarounds for this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-56138
https://www.cve.org/CVERecord?id=CVE-2024-56138
[1]
https://github.com/notaryproject/notation-go/security/advisories/GHSA-45v3-38pc-874v
[2]
https://github.com/notaryproject/notation-go/commit/e7005a6d13e5ba472d4e166fbb085152f909e102
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-github-notaryproject-notation-go
Source-Version: 1.2.1-5
Done: Reinhard Tartler <siret...@tauware.de>
We believe that the bug you reported is fixed in the latest version of
golang-github-notaryproject-notation-go, which is due to be installed in the
Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1094...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <siret...@tauware.de> (supplier of updated
golang-github-notaryproject-notation-go package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 01 Jun 2025 08:26:00 -0400
Source: golang-github-notaryproject-notation-go
Architecture: source
Version: 1.2.1-5
Distribution: experimental
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Reinhard Tartler <siret...@tauware.de>
Closes: 1094409
Changes:
golang-github-notaryproject-notation-go (1.2.1-5) experimental; urgency=medium
.
* fix: enable timestamping cert chain revocation check during signing (#482)
Closes: #1094409
* Bump dependency on golang-github-notaryproject-notation-core-go-dev
Checksums-Sha1:
29ebaee8b95d7d7cbfa6cea2470718c13ea72798 2974
golang-github-notaryproject-notation-go_1.2.1-5.dsc
3bd0db5723125aa1991c9556e8b120930dc0c56a 5696
golang-github-notaryproject-notation-go_1.2.1-5.debian.tar.xz
Checksums-Sha256:
98780f9eb2c966e50901fb83187751a22bc5d733a9efe08c1af83fa50123b37f 2974
golang-github-notaryproject-notation-go_1.2.1-5.dsc
6efd5649233b2f8858206ff3cd095cb460184a14e3edee2fa2290d1f421be790 5696
golang-github-notaryproject-notation-go_1.2.1-5.debian.tar.xz
Files:
7436c72fb01bd11a40cec8f4b9b88d6a 2974 golang optional
golang-github-notaryproject-notation-go_1.2.1-5.dsc
8180ab775ab1ab41069aed7609de4085 5696 golang optional
golang-github-notaryproject-notation-go_1.2.1-5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmg8R94UHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJsufEBAAvzr9xbS1Vu57HohHJLa+GuQisH7W
0lnsm/+wQ30IUHbcBXRI2kdmjS+t8e6V6jUhFKwwRyzufRLGXKHwWTw8olAH5Zbh
l41dABCO0ojEnloD5Mci8tDBwWdW7eCsD06PNfXAEzLvbTkUnCq72/d3nG8yCsOx
Bf3NAbY/lZg9ubTHTJokvzP90USwnyP1oeKyOnZ9g32SVWMv0cYbBfmyhMG7Ekjf
IMKBPPjsQx/DvJuySyziPZpcBiiqk5qJ1YG08U//KcdAW0+9yym4pJTj7oF73yBM
K48mDlCHpK49NFxtsoNUjeCTfnxQcIlMH7Krm9szYniy/ZWPNQQ6PLnSlrSF5QrM
VUDsgwRbYNHFeOuJ1SOFh6guGAz0iIJ6627Yz8LbtTDZWC+NtvMetHW4MKW+08zx
GXoGWYlKUOXnCJ+qYg/nh210YNSfjQRBVMVccdDmhVR5m6V2RrOEzsamDmzohD4w
l2weRhQ5nBBblxfOEqV8+Y6PHEdY9WEz48x75k+TTRuppPF2MlAkehpI1Qsgi7PQ
BTSyMBs4tdVFRQyke1l+5Wnh0EzKviEGVAvf6l3dC9pik8E3BRyX0hcvOAbCBqcp
QslLSGjhv2ongOo1xbS1cTl4PYwTwli2M+REboGLXQyc9eB9aSGCbaMeeGc5nhkg
yT36Qqmj5R1PV8I=
=PEkg
-----END PGP SIGNATURE-----
pgpGjkn72ZE2K.pgp
Description: PGP signature
--- End Message ---
