Your message dated Sun, 01 Jun 2025 22:34:13 +0000
with message-id <e1ulrft-006cn7...@fasolo.debian.org>
and subject line Bug#1094409: fixed in golang-github-notaryproject-notation
1.2.0-5
has caused the Debian Bug report #1094409,
regarding golang-github-notaryproject-notation-go: CVE-2024-56138
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1094409: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094409
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: golang-github-notaryproject-notation-go
Version: 1.2.1-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for
golang-github-notaryproject-notation-go.
CVE-2024-56138[0]:
| notion-go is a collection of libraries for supporting sign and
| verify OCI artifacts. Based on Notary Project specifications. This
| issue was identified during Quarkslab's audit of the timestamp
| feature. During the timestamp signature generation, the revocation
| status of the certificate(s) used to generate the timestamp
| signature was not verified. During timestamp signature generation,
| notation-go did not check the revocation status of the certificate
| chain used by the TSA. This oversight creates a vulnerability that
| could be exploited through a Man-in-The-Middle attack. An attacker
| could potentially use a compromised, intermediate, or revoked leaf
| certificate to generate a malicious countersignature, which would
| then be accepted and stored by `notation`. This could lead to denial
| of service scenarios, particularly in CI/CD environments during
| signature verification processes because timestamp signature would
| fail due to the presence of a revoked certificate(s) potentially
| disrupting operations. This issue has been addressed in release
| version 1.3.0-rc.2 and all users are advised to upgrade. There are
| no known workarounds for this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-56138
https://www.cve.org/CVERecord?id=CVE-2024-56138
[1]
https://github.com/notaryproject/notation-go/security/advisories/GHSA-45v3-38pc-874v
[2]
https://github.com/notaryproject/notation-go/commit/e7005a6d13e5ba472d4e166fbb085152f909e102
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-github-notaryproject-notation
Source-Version: 1.2.0-5
Done: Reinhard Tartler <siret...@tauware.de>
We believe that the bug you reported is fixed in the latest version of
golang-github-notaryproject-notation, which is due to be installed in the
Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1094...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <siret...@tauware.de> (supplier of updated
golang-github-notaryproject-notation package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 01 Jun 2025 15:01:54 -0400
Source: golang-github-notaryproject-notation
Architecture: source
Version: 1.2.0-5
Distribution: experimental
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Reinhard Tartler <siret...@tauware.de>
Closes: 1094409
Changes:
golang-github-notaryproject-notation (1.2.0-5) experimental; urgency=medium
.
* Bump dependencies for CVE-2024-56138, Closes: #1094409
Checksums-Sha1:
12f387228da93e8a4291e175a068f32c578ca7da 3125
golang-github-notaryproject-notation_1.2.0-5.dsc
537b305409b82eb5aae00336bcba94e349bbf9d0 4388
golang-github-notaryproject-notation_1.2.0-5.debian.tar.xz
Checksums-Sha256:
6b5627860b6363416a7f39e8f598348db87ac0072294d5547ca51bf894cd1827 3125
golang-github-notaryproject-notation_1.2.0-5.dsc
034a693011acd25f3333752f1f2e71b0ab4e5cdec0fa55a19c0aa5bd35a92401 4388
golang-github-notaryproject-notation_1.2.0-5.debian.tar.xz
Files:
2c771bc48372e7db4dea813716f89d73 3125 golang optional
golang-github-notaryproject-notation_1.2.0-5.dsc
a14b2e43ead5fa879c58e215679508c8 4388 golang optional
golang-github-notaryproject-notation_1.2.0-5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmg80lwUHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJstLIw//XhMq+yYvtnp7ZpLkjThTAiaFy8ns
JFZHQ1tXKzdnhKVJD+VRpJKIRVE62YvuKh8yGLaBGanRwKcQdSGBTgnAyEq3YQJ0
+rK3WjJZsZat1Wgsm6r8LLwK3EI74ZTdRW375H8yK334b4HO0UNNpttS4+Uh0ySP
LQT1ChDVfDDCkmMyiQLO/dtEYHErHX0HjM697DJKjtWOWj3JK2O2PDVUOfDGs7v3
z03eyk4qNmA6c9FSb5CPPwYJfeG3/LF1K77hj6V7qyo5pMGfi4C0QStcqe73f+JV
7+8UwKIJBo/YJDx7cixpyi1gnJbN29oqklBZWgnMhxlxdtZcZn+ZW5YCdNkdGp7z
/E7HQlXR4QasmvfJWAeCM2blKskWmh+Xvq3eZdc34sdNAV25soGdd3aMCUyLqUav
2OMjBzQ/VB6EmtP7MT6WY3MiOYyKwwCKc43eLbQMyk0x8vKp9Pml/UyIM1OOYnm7
PDsMOoJGeL5Q02D3Yj5zrFH86fs1wgsWlybhBrGDA2E6e9UaKvKPBFMfUmGlQUGY
de1CheU7oClSxscrwiCbOtQcVjy/NV92yg+8kJp3Kc525xCgVaoHXfxFdiptuR3m
aZGcAsVaG56I9tuTTt7A5k73TjLYGyy5bHJmxk0QbffoDePztTN7l2Fv5QyJzhvO
dm406PTxWIHafyk=
=8R0r
-----END PGP SIGNATURE-----
pgpvgcY_DUGlt.pgp
Description: PGP signature
--- End Message ---
