- Package:
- golang-github-tillitis-tkeyclient
- Submitter:
- Simon Josefsson
- Date:
- 2026-03-17 19:49:02 UTC
- Severity:
- normal
- Tags:
This is a bug to track the security vulnerability described here: https://github.com/tillitis/tkeyclient/security/advisories/GHSA-4w7r-3222-8h6v I have uploaded 1.3.0-1 before being asked to open a bug report about the problem, so I can't close this bug report with the upload that fixes it, but will mark the bug as fixed with 1.3.0-1. This library is used by 'tkey-ssh-agent' which I will upload next. The new upstream version makes use of new features in tkeyclient to implement upstream's recommended upgrade path to deal with the security problem. As far as I know, no CVE has been associated with this yet, but upstream (and I) hang out in #tillitis on Matrix/OFTC and I've asked if they want a CVE allocated, but no reply yet. /Simon
Hi Simon, A CVE has been assigned for this issue, it is CVE-2026-32953. I do not see it yet published on MITRE, but the GHSA has it already. Thanks again for the IRC heads-up! Regards, Salvatore