| Name | CVE-2024-47534 |
| Description | go-tuf is a Go implementation of The Update Framework (TUF). The go-tuf client inconsistently traces the delegations. For example, if targets delegate to "A", and to "B", and "B" delegates to "C", then the client should trace the delegations in the order "A" then "B" then "C" but it may incorrectly trace the delegations "B"->"C"->"A". This vulnerability is fixed in 2.0.1. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| golang-github-theupdateframework-go-tuf (PTS) | trixie | 2.0.2+0.7.0-1 | fixed |
| forky, sid | 2.3.0+0.7.0-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| golang-github-endophage-gotuf | source | (unstable) | (unfixed) | |||
| golang-github-theupdateframework-go-tuf | source | (unstable) | (not affected) |
- golang-github-theupdateframework-go-tuf <not-affected> (Vulnerable code not present)
https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-4f8r-qqr9-fq8j
Introduced with: https://github.com/theupdateframework/go-tuf/commit/edc30b474f5afd4cc603e17149704d5aa605151d (v2.0.0)
Fixed by: https://github.com/theupdateframework/go-tuf/commit/f36420caba9edbfdfd64f95a9554c0836d9cf819 (v2.0.1)