#1131102 trixie-pu: package tkey-ssh-agent/1.1.0+ds-1~deb13u1 (pre-approval)

Package:
release.debian.org
Source:
release.debian.org
Submitter:
Simon Josefsson
Date:
2026-03-17 14:37:02 UTC
Severity:
normal
Tags:
#1131102#5
Date:
2026-03-17 14:35:53 UTC
From:
To:
[ Reason ]
Hi!

This is the second part of https://bugs.debian.org/1131028

Upstream has provided an advisory:

https://github.com/tillitis/tkeyclient/security/advisories/GHSA-4w7r-3222-8h6v

While this could be handled by a security patch, due to the complexity
of upstream's recommended solution (involving patches to both
'golang-github-tillitis-tkeyclient' and 'tkey-ssh-agent') and low
end-user impact, it was suggested on #debian-security to use the
proposed-updated mechanism instead to update both packages to latest
upstream version.

I'm attaching the debdiff between tkey-ssh-agent 1.0.0 and 1.1.0 in
unstable, and I suggest something similar could be uploaded to
trixie-proposed-updates.

What do you think?  Is this an acceptable way to resolve this?

If so I can prepare the final real version of these packages.

[ Impact ]
If this isn't adopted, one out of 256 users that provides a USS secret
will not actually make use of the USS, thus possibly lowering their
perceived security.

[ Tests ]
This is upstream patches, so presumably well tested.

[ Risks ]
There is always a risk upstream's patches are buggy and cause unrelated
problems.

[ Checklist ]
  [ ] *all* changes are documented in the d/changelog
  [ ] I reviewed all changes and I approve them
  [ ] attach debdiff against the package in (old)stable
  [ ] the issue is verified as fixed in unstable

[ Changes ]
(Explain *all* the changes)

[ Other info ]
(Anything else the release team should know.)