Bug#1134150: marked as done (golang-github-sigstore-timestamp-authority: CVE-2026-39984)

[Debian Bug Tracking System]

Your message dated Wed, 27 May 2026 07:49:59 +0000
with message-id <e1ws91b-0000000betv-2...@fasolo.debian.org>
and subject line Bug#1134150: fixed in 
golang-github-sigstore-timestamp-authority 2.1.0-1
has caused the Debian Bug report #1134150,
regarding golang-github-sigstore-timestamp-authority: CVE-2026-39984
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1134150: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134150
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: golang-github-sigstore-timestamp-authority
Version: 2.0.4-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for 
golang-github-sigstore-timestamp-authority.

CVE-2026-39984[0]:
| Sigstore Timestamp Authority is a service for issuing RFC 3161
| timestamps. Versions 2.0.5 and below contain an authorization bypass
| vulnerability in the VerifyTimestampResponse function.
| VerifyTimestampResponse correctly verifies the certificate chain
| signature, but the TSA-specific constraint checks in VerifyLeafCert
| uses the first non-CA certificate from the PKCS#7 certificate bag
| instead of the leaf certificate from the verified chain. An attacker
| can exploit this by prepending a forged certificate to the
| certificate bag while the message is signed with an authorized key,
| causing the library to validate the signature against one
| certificate but perform authorization checks against another. This
| vulnerability only affects users of the timestamp-
| authority/v2/pkg/verification package and does not affect the
| timestamp-authority service itself or sigstore-go. The issue has
| been fixed in version 2.0.6.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-39984
    https://www.cve.org/CVERecord?id=CVE-2026-39984
[1] 
https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-xm5m-wgh2-rrg3
[2] 
https://github.com/sigstore/timestamp-authority/commit/9583b6186084a309cb6ccaf4323a29781901e962

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: golang-github-sigstore-timestamp-authority
Source-Version: 2.1.0-1
Done: Simon Josefsson <si...@josefsson.org>

We believe that the bug you reported is fixed in the latest version of
golang-github-sigstore-timestamp-authority, which is due to be installed in the 
Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1134...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon Josefsson <si...@josefsson.org> (supplier of updated 
golang-github-sigstore-timestamp-authority package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 27 May 2026 08:52:34 +0200
Source: golang-github-sigstore-timestamp-authority
Architecture: source
Version: 2.1.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Simon Josefsson <si...@josefsson.org>
Closes: 1134150
Changes:
 golang-github-sigstore-timestamp-authority (2.1.0-1) unstable; urgency=medium
 .
   * New upstream (Closes: #1134150)
     - CVE-2026-39984
   * Use gbp upstream-vcs-tag
   * Drop d/watch Uversionmangle
   * Standards-Version: 4.7.4
   * Drop Priority: optional
   * Bump copyright years
   * Refresh patches
   * Improve debci/autopkgtest
Checksums-Sha1:
 96effc607ad55a440a9d7d1318af4b5971d2ef78 3820 
golang-github-sigstore-timestamp-authority_2.1.0-1.dsc
 6af687f16950b0f5c2895bac473fe2fdf79a9516 112212 
golang-github-sigstore-timestamp-authority_2.1.0.orig.tar.xz
 3b1e4745499a9b5145c136d22045299527dcfd66 4364 
golang-github-sigstore-timestamp-authority_2.1.0-1.debian.tar.xz
 9fc2f6b311c1e0607c4b1ed9eb220d63a7c6f785 334280 
golang-github-sigstore-timestamp-authority_2.1.0-1.git.tar.xz
 a243cb3aa03de36c473eb64d176587fda7f84de9 17562 
golang-github-sigstore-timestamp-authority_2.1.0-1_source.buildinfo
Checksums-Sha256:
 b4fcd6696e19240c901efa2cd506e5848193febdad443674592ac4cc5c8f437d 3820 
golang-github-sigstore-timestamp-authority_2.1.0-1.dsc
 0c37a6549fe4dca079bdbbdbc85d32ac8acac7e1c11fb06fcb4afcbb1aa37329 112212 
golang-github-sigstore-timestamp-authority_2.1.0.orig.tar.xz
 ffc1efdffd4f8af79d1a989080e2a5cd25571be5b2ee53b57895c8d0158e2f3e 4364 
golang-github-sigstore-timestamp-authority_2.1.0-1.debian.tar.xz
 5ad6d4d335922de81ff490a0729e3af68e3f75d739070fbcea16282e733379e7 334280 
golang-github-sigstore-timestamp-authority_2.1.0-1.git.tar.xz
 a23cfbde4fb6432c62af43381328bb333f0f530e54de1606893cfdf30208686e 17562 
golang-github-sigstore-timestamp-authority_2.1.0-1_source.buildinfo
Files:
 e748119e82231ecf81dada92aaa82b09 3820 golang optional 
golang-github-sigstore-timestamp-authority_2.1.0-1.dsc
 c4ff229f50e8b2e2a71d0ff54243673a 112212 golang optional 
golang-github-sigstore-timestamp-authority_2.1.0.orig.tar.xz
 414d8f9ea92cc07fc55ad94aed99a02c 4364 golang optional 
golang-github-sigstore-timestamp-authority_2.1.0-1.debian.tar.xz
 4b3fad8fab4d76403adc8322dc881983 334280 golang None 
golang-github-sigstore-timestamp-authority_2.1.0-1.git.tar.xz
 5eaf1844fda97257a86e73a14a835fe8 17562 golang optional 
golang-github-sigstore-timestamp-authority_2.1.0-1_source.buildinfo
Git-Tag-Info: tag=c7ff26ea26cbddcd264b95421db2a05266c44213 
fp=a3cc9c870b9d310abad4cf2f51722b08fe4745a2
Git-Tag-Tagger: Simon Josefsson <si...@josefsson.org>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmoWnokACgkQYG0ITkaD
wHn+Jg//bJqHyPO+rYuy3rMpQ2pltYtHNG3JU23cGuZMQZuY7PJnPqYILRvMI7MM
WfMCPrQ6m7drqC/Gf1uVaVLTvOgFImUBEU30KKlYgN/gFeLqEymMKfiZDfAjoBA2
wbtT9iqyL+Dx3Jxd6Z/QCVeAyHSVKma+GuJsVJi+rHK7gTSWZ1si+mqeSLiuLOr8
a6g52uENHOdB2hBoG9GhT4BVlAi18Ng1ad02gPiTeLrMAwDOVtM82C1x3Y3oBoSU
InZA61CulGV0YLlh6vKKBOstFrUDl5kC5Miv9RArfnAfThySuYzK/mC0djoJZgcb
Y1mo1XrqQxFlaP5VyqylsiHA60GFhT53kszW/Kq7En/xFB60JzSAMwY+KnN+CQXm
GwMmguR/kXOQEfWXp6aDKw1buAH6K/RVY4QPQB2FVEjLea/7e+m39Md8viVe16EP
Du1QM7uNj4GUPq2z20gnHv+ThfgzEv+Il3TjOagiPQcpr6jHFjfkaEFMolv+489e
1h0FBVa4xlvlIP0sCCSkmJxRbAB+maMF72ZdaLFn4mSYVNrbj82nwD8YqC8ZfqLh
h3tVmM+rShwYVZGk5Xkcd0EIz2DcHk+J20d/TFnfIfbiSr9rX+4nCmFO6vgVgDEw
7JiSn8RK1QmGriYmSuzTdnDLa2pu+Q1SfZ+iRbuK8Fbtu+1dqvM=
=lQOQ
-----END PGP SIGNATURE-----

pgp6uy37L93JR.pgp
Description: PGP signature

--- End Message ---