From: carnil@debian.org   
      
   Source: golang-github-go-git-go-git   
   Version: 5.16.2-1   
   Severity: important   
   Tags: security upstream   
   X-Debbugs-Cc: carnil@debian.org, Debian Security Team    
      
   Hi,   
      
   The following vulnerability was published for golang-github-go-git-go-git.   
      
   CVE-2026-25934[0]:   
   | go-git is a highly extensible git implementation library written in   
   | pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git   
   | whereby data integrity values for .pack and .idx files were not   
   | properly verified. This resulted in go-git potentially consuming   
   | corrupted files, which would likely result in unexpected errors such   
   | as object not found. For context, clients fetch packfiles from   
   | upstream Git servers. Those files contain a checksum of their   
   | contents, so that clients can perform integrity checks before   
   | consuming it. The pack indexes (.idx) are generated locally by go-   
   | git, or the git cli, when new .pack files are received and   
   | processed. The integrity checks for both files were not being   
   | verified correctly. This vulnerability is fixed in 5.16.5.   
      
      
   If you fix the vulnerability please also make sure to include the   
   CVE (Common Vulnerabilities & Exposures) id in your changelog entry.   
      
   For further information see:   
      
   [0] https://security-tracker.debian.org/tracker/CVE-2026-25934   
       https://www.cve.org/CVERecord?id=CVE-2026-25934   
   [1] https://github.com/go-git/go-git/security/advisories/GHSA-37cx-329c-33x3   
      
   Please adjust the affected versions in the BTS as needed.   
      
   Regards,   
   Salvatore   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)