- Package:
- src:gittuf
- Source:
- src:gittuf
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-07 21:51:02 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for gittuf. CVE-2026-44544[0]: | gittuf is a platform-agnostic Git security system. Prior to 0.14.0, | an attacker with push access to gittuf's Reference State Log (RSL) | can roll back the current policy to any previous policy trusted by | the current set of root keys. gittuf determines the policy to load | by inspecting the RSL. Except for the very first policy (which is | automatically trusted given gittuf's TOFU model, or verified against | manually specified keys), whenever an RSL entry that points to a new | policy is encountered, gittuf validates that this policy is trusted. | This is done by checking that the new policy’s root metadata is | signed by the required threshold of the current policy's root keys. | Because of this, an attacker with push access to the RSL may create | a new entry that references an old policy (that is trusted by the | most recent policy's set of root keys), thereby rolling back | gittuf's policy to the attacker's chosen state. This vulnerability | is fixed in 0.14.0. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-44544 https://www.cve.org/CVERecord?id=CVE-2026-44544 [1] https://github.com/gittuf/gittuf/security/advisories/GHSA-vxvc-cg7j-rwqj Please adjust the affected versions in the BTS as needed. Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of
gittuf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1136704@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Josefsson <simon@josefsson.org> (supplier of updated gittuf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 07 Jun 2026 22:30:19 +0200
Source: gittuf
Architecture: source
Version: 0.14.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Changed-By: Simon Josefsson <simon@josefsson.org>
Closes: 1136704
Changes:
gittuf (0.14.1-1) unstable; urgency=medium
.
* New upstream (Closes: #1136704)
- CVE-2026-44544
* Disable TestTUI due to teatest
Checksums-Sha1:
59b15dfad22829858ce0a80b8a0efa26a8d2bc48 3299 gittuf_0.14.1-1.dsc
1a67af46f1488758bd0aa677063f9ff1476233c2 643344 gittuf_0.14.1.orig.tar.xz
1105707e6dece4bd5e0a5fd6871914a2173426c1 5652 gittuf_0.14.1-1.debian.tar.xz
8fbdb6b7b0a4905754f46dca11c80c0c97ff3a59 1320760 gittuf_0.14.1-1.git.tar.xz
f3a4664ea0c1a168347a989cac4cb8919c37a1ef 17488 gittuf_0.14.1-1_source.buildinfo
Checksums-Sha256:
c7e96f09d7ee92e99e8dd12511ecc66589f45b777d913d31c02e84a875c59b0b 3299 gittuf_0.14.1-1.dsc
b90c94093fbaaf150ec0ef0bb97442465d66d857363d8b9dad501f45d04854ae 643344 gittuf_0.14.1.orig.tar.xz
ccf26066947c3bd07f43c6fe6529da511bd23f5cdea260e8762849d0dc61b346 5652 gittuf_0.14.1-1.debian.tar.xz
86a41832bb7de58dc5d4a67c66ac8355f3ab5e1e79fefbe102da8b38e959a9e7 1320760 gittuf_0.14.1-1.git.tar.xz
8a7f49b3fda0e513803740af6da71a5dffe13838768d658bfafd68b626539bd5 17488 gittuf_0.14.1-1_source.buildinfo
Files:
4a3973428ceb97de7e46ab4e5fa4d180 3299 vcs optional gittuf_0.14.1-1.dsc
721817b61017df6ac2e6ee689232fdd0 643344 vcs optional gittuf_0.14.1.orig.tar.xz
14d23aab50b69fc6fd730119cca7f6a9 5652 vcs optional gittuf_0.14.1-1.debian.tar.xz
9a14616ad29b72c62e4986456f031f58 1320760 vcs None gittuf_0.14.1-1.git.tar.xz
ce5deace1393ee26a3beb9db5b1dd1d7 17488 vcs optional gittuf_0.14.1-1_source.buildinfo
Git-Tag-Info: tag=cd46d13be74fbd89eec9dbdbf35c349d9de40ab7 fp=a3cc9c870b9d310abad4cf2f51722b08fe4745a2
Git-Tag-Tagger: Simon Josefsson <simon@josefsson.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmol49AACgkQYG0ITkaD
wHkt2Q/+NsN7Cb3pfgTsV9Ds/fN1bJD+g5DXHo23C/Y8rt+BPQobO/1VABE78bZH
dHDyS7QJ4OmnzPqhg9hN7huiNvW13I+lsIaF2DOKbJ3sHTiUljK/UszRjL9LcB6g
m/fffD8gy+hGJFkDfmBujVzF+KQ8aeMpfSK5f+aKpiOsrcCbY1A43KYo4dft6Iuv
Ig3+iwx+bRvGN57IYZfc7pierjDe7upOJEUTuxp0YFyMWGFOMKwOSY4t4bbdnFtm
JqMnKwJ3HjIT7Uh4kSPaEHIObzyw4EMtxLr35Es27Xe8E+Ka8r4aCw/9IkSvL5zh
dJAr69KvzuFIuWLhio1QdWu5DDrP2WSqE6MScCScULh45vnrn/BrIKT6bFKUiSJ5
3RxVrE3WjRA1Bz3liv0JO220g9+bC5FqJuTRPTq4LtcIPJ1Twi3VqGka93DPnIgc
ut9aclfI+E0fbmmw4XBPdG+6vV8xvE5NkchhFXQHZpliB8p9N4Q4TnHgGRobglqY
pM7zTJEzWHWSHpHek+y9uxs8qMHbEm7lesZSj6lMZ8KCngWkbes+jnMPX5uCX6fa
fdKZWl5ONtVa46iVLQwauB8O/0thrRNCSvBBUCLtjZCuVSiItso8GOAgB0zqShIr
aXqC4+kLw/wROvi+N3IPBewERh5BWNplR1vLtPC45gy51iD91RY=
=MDs2
-----END PGP SIGNATURE-----