Source: golang-github-theupdateframework-go-tuf Version: 2.3.0+0.7.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for golang-github-theupdateframework-go-tuf. CVE-2026-24686[0]: | go-tuf is a Go implementation of The Update Framework (TUF). go- | tuf's TAP 4 Multirepo Client uses the map file repository name | string (`repoName`) as a filesystem path component when selecting | the local metadata cache directory. Starting in version 2.0.0 and | prior to version 2.4.1, if an application accepts a map file from an | untrusted source, an attacker can supply a `repoName` containing | traversal (e.g., `../escaped-repo`) and cause go-tuf to create | directories and write the root metadata file outside the intended | `LocalMetadataDir` cache base, within the running process's | filesystem permissions. Version 2.4.1 contains a patch. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-24686 https://www.cve.org/CVERecord?id=CVE-2026-24686 [1] https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-jqc5-w2xx-5vq4 [2] https://github.com/theupdateframework/go-tuf/commit/d361e2ea24e427581343dee5c7a32b485d79fcc0 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
