Your message dated Tue, 16 Jun 2026 20:49:21 +0000
with message-id <[email protected]>
and subject line Bug#1138711: fixed in packagekit 1.3.6-1
has caused the Debian Bug report #1138711,
regarding packagekit: CVE-2026-10294
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138711: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138711
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: packagekit
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for packagekit. You are
obviously aware, but for tracking I'm also filing this in the BTS.
CVE-2026-10294[0]:
| A vulnerability has been found in PackageKit up to 1.3.5. Affected
| is the function g_file_test of the file src/pk-transaction.c of the
| component API. Such manipulation of the argument frontend-socket
| leads to improper authorization. The attack can be executed
| remotely. The exploit has been disclosed to the public and may be
| used.
https://github.com/PackageKit/PackageKit/issues/969
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-10294
https://www.cve.org/CVERecord?id=CVE-2026-10294
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: packagekit
Source-Version: 1.3.6-1
Done: Matthias Klumpp <[email protected]>
We believe that the bug you reported is fixed in the latest version of
packagekit, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klumpp <[email protected]> (supplier of updated packagekit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 16 Jun 2026 22:06:36 +0200
Source: packagekit
Architecture: source
Version: 1.3.6-1
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klumpp <[email protected]>
Changed-By: Matthias Klumpp <[email protected]>
Closes: 1138711
Changes:
packagekit (1.3.6-1) unstable; urgency=medium
.
* New upstream version: 1.3.6
- Resolves an information leak by not following socket symlinks
(Closes: #1138711, CVE-2026-10294)
Checksums-Sha1:
ad5437ff71a1dd377558b3791705d8bfb830cc87 3215 packagekit_1.3.6-1.dsc
c0f13d642d36c344d18c82a05c279750f1cacd1a 2981140 packagekit_1.3.6.orig.tar.xz
9865e246fbd12410c6189c6e80b30e9ebe44518a 833 packagekit_1.3.6.orig.tar.xz.asc
5f2ac8e32c244c6558543b2546742fd89b629d5e 25832 packagekit_1.3.6-1.debian.tar.xz
f825c491cdf488682950ce9496ccd3d78a2fb1c4 19326
packagekit_1.3.6-1_source.buildinfo
Checksums-Sha256:
3d71676f5c69355fec84280bb1b4e6661f9bd80bf41ccad3a236174117d2afd3 3215
packagekit_1.3.6-1.dsc
a3458173efd3c3d0e2d049b95be26300f37c96219314164da2bd6778546a3d51 2981140
packagekit_1.3.6.orig.tar.xz
79ef06c3cc59dff2d104c8ddd8da591d1a1a6837b88318b46442f485eea59cb6 833
packagekit_1.3.6.orig.tar.xz.asc
571230ceb8ed2b76cfd05a3f29db5f42b046839cd42a5b55a4cfa975db6a9409 25832
packagekit_1.3.6-1.debian.tar.xz
5601d04c19d8be903ff48497ac660c080d43d06e10f59292f7042c75377d8bb5 19326
packagekit_1.3.6-1_source.buildinfo
Files:
69f8c06589fe9277923733d0944ec2e6 3215 admin optional packagekit_1.3.6-1.dsc
232ce76a1c3b9aef9bc25142183791e4 2981140 admin optional
packagekit_1.3.6.orig.tar.xz
ce1ac227474b54569e92cf5f1beb7c56 833 admin optional
packagekit_1.3.6.orig.tar.xz.asc
6a393c035dbd32aea9df14a426f10d93 25832 admin optional
packagekit_1.3.6-1.debian.tar.xz
e49c3ef1c0b447d07b1c535611f0105f 19326 admin optional
packagekit_1.3.6-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJDBAEBCgAtFiEE0zo/DKFrCsxRpgc4SUyKX79N7OsFAmoxsEsPHG1ha0BkZWJp
YW4ub3JnAAoJEElMil+/TezrcREQAItQQ+rx5pftZdigPnJ9xInmO5HZwfw1FxwP
5vzYAqfRJBZZfum5QveKB8ySZvtDuD7fQmIliHsCmXcDF96IAW3WI8Ez/7ZUDLRH
AQLfpGHfVeEQwRzmUnH5458DqLwRugYxH8k2FNohhnJ8M9+lST/t6nv480X2qgYm
KBc8YB0lTtws0ejDoEObG/EZei0Wax+mZoXNxB+MEgVWss1wAVYpIa0tILIkOegY
jCi3l9L9++p3dLg8n4r3uNTArL5wiuAE1cApzZEA+nFFcsUGtbfqDQkGA7unoPo8
t/fF8s8J+ndxwNTi8ZhGzXcO77eQs90wP9MxXgo8EU2md5a5ZDfirLlU/RewGCAo
ZNtR3h2LL7/4CoaYCIbOjFiUFHJdIF0uAk99JWIB2NLbGyA+RPUkFOp9bNMY5a/+
s4xjhB++2wuS5exsvYzSfTyknmq1PeCke5LdhzDZhCQahJx3Islz0VJACgu5hoIJ
wUmTFMR/HSmlf0tgpEdKGk7Dw7K8FCUIewU2cuTk8YW7718YhOollwQKxIpt0Coy
UdD81ZQXM7/RFMx1lxyFyYqtL0KHD/2Fi9tHSGXHpsT8OPYd23atVloBINLpNu9K
jBeHCmYsZISg0QHMKxC2pAsRKquNBOn/RbtoIKxsRFpUZYs7FOthaw3dMvWQ6J74
S7nFDnge
=uOIa
-----END PGP SIGNATURE-----
pgpPNOLEL9u1h.pgp
Description: PGP signature
--- End Message ---
