golang-github-cli-go-gh - Debian Package Tracker

general

source: golang-github-cli-go-gh (main)
version: 1.2.1-2
maintainer: Debian Go Packaging Team (DMD)
uploaders: Anthony Fok [DMD]
arch: all
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 1.0.0-1
stable: 1.2.1-2
testing: 1.2.1-2
unstable: 1.2.1-2

versioned links

1.0.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.2.1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

golang-github-cli-go-gh-dev

action needed

A new upstream version is available: 2.13.0 high

A new upstream version 2.13.0 is available, you should consider packaging it.

Created: 2025-11-27 Last update: 2026-06-03 22:00

2 security issues in trixie high

There are 2 open security issues in trixie.

1 important issue:

CVE-2026-48501: GitHub CLI (gh) is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. The CLI uses a shared HTTP client with an authentication layer that automatically attaches tokens to outgoing requests. This layer lacks accurate host detection and can incorrectly attribute the target host, providing it with a token it should never receive. Specifically, the host normalization logic collapses any *.github.com subdomain to github.com, so a request to tuf-repo.github.com (a GitHub Pages site, not a GitHub API endpoint) is treated as a request to github.com and receives the user's github.com token. For hosts that don't match github.com or a known GHES instance at all, the resolver falls back to GH_ENTERPRISE_TOKEN if set. The gh attestation, gh release verify and gh release verify-asset commands fetch data from several external hosts as part of their normal operation (TUF metadata from tuf-repo.github.com and tuf-repo-cdn.sigstore.dev, artifact bundles from Azure Blob Storage). Because these requests go through the same authenticated HTTP client, the token is sent to all of them. This vulnerability is fixed in 2.93.0.

1 issue left for the package maintainer to handle:

CVE-2025-48938: (needs triaging) go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has been identified in versions prior to 2.12.1 where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing. In `2.12.1`, `Browser.Browse()` has been enhanced to allow and disallow a variety of scenarios to avoid opening or executing files on the filesystem without unduly impacting HTTP URLs. No known workarounds are available other than upgrading.

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-05-30 Last update: 2026-06-01 09:01

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2025-48938: go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has been identified in versions prior to 2.12.1 where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing. In `2.12.1`, `Browser.Browse()` has been enhanced to allow and disallow a variety of scenarios to avoid opening or executing files on the filesystem without unduly impacting HTTP URLs. No known workarounds are available other than upgrading.
CVE-2026-48501: GitHub CLI (gh) is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. The CLI uses a shared HTTP client with an authentication layer that automatically attaches tokens to outgoing requests. This layer lacks accurate host detection and can incorrectly attribute the target host, providing it with a token it should never receive. Specifically, the host normalization logic collapses any *.github.com subdomain to github.com, so a request to tuf-repo.github.com (a GitHub Pages site, not a GitHub API endpoint) is treated as a request to github.com and receives the user's github.com token. For hosts that don't match github.com or a known GHES instance at all, the resolver falls back to GH_ENTERPRISE_TOKEN if set. The gh attestation, gh release verify and gh release verify-asset commands fetch data from several external hosts as part of their normal operation (TUF metadata from tuf-repo.github.com and tuf-repo-cdn.sigstore.dev, artifact bundles from Azure Blob Storage). Because these requests go through the same authenticated HTTP client, the token is sent to all of them. This vulnerability is fixed in 2.93.0.

Created: 2025-05-30 Last update: 2026-06-01 09:01

2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:

CVE-2025-48938: go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has been identified in versions prior to 2.12.1 where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing. In `2.12.1`, `Browser.Browse()` has been enhanced to allow and disallow a variety of scenarios to avoid opening or executing files on the filesystem without unduly impacting HTTP URLs. No known workarounds are available other than upgrading.
CVE-2026-48501: GitHub CLI (gh) is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. The CLI uses a shared HTTP client with an authentication layer that automatically attaches tokens to outgoing requests. This layer lacks accurate host detection and can incorrectly attribute the target host, providing it with a token it should never receive. Specifically, the host normalization logic collapses any *.github.com subdomain to github.com, so a request to tuf-repo.github.com (a GitHub Pages site, not a GitHub API endpoint) is treated as a request to github.com and receives the user's github.com token. For hosts that don't match github.com or a known GHES instance at all, the resolver falls back to GH_ENTERPRISE_TOKEN if set. The gh attestation, gh release verify and gh release verify-asset commands fetch data from several external hosts as part of their normal operation (TUF metadata from tuf-repo.github.com and tuf-repo-cdn.sigstore.dev, artifact bundles from Azure Blob Storage). Because these requests go through the same authenticated HTTP client, the token is sent to all of them. This vulnerability is fixed in 2.93.0.

Created: 2025-08-09 Last update: 2026-06-01 09:01

2 security issues in bookworm high

There are 2 open security issues in bookworm.

1 important issue:

CVE-2026-48501: GitHub CLI (gh) is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. The CLI uses a shared HTTP client with an authentication layer that automatically attaches tokens to outgoing requests. This layer lacks accurate host detection and can incorrectly attribute the target host, providing it with a token it should never receive. Specifically, the host normalization logic collapses any *.github.com subdomain to github.com, so a request to tuf-repo.github.com (a GitHub Pages site, not a GitHub API endpoint) is treated as a request to github.com and receives the user's github.com token. For hosts that don't match github.com or a known GHES instance at all, the resolver falls back to GH_ENTERPRISE_TOKEN if set. The gh attestation, gh release verify and gh release verify-asset commands fetch data from several external hosts as part of their normal operation (TUF metadata from tuf-repo.github.com and tuf-repo-cdn.sigstore.dev, artifact bundles from Azure Blob Storage). Because these requests go through the same authenticated HTTP client, the token is sent to all of them. This vulnerability is fixed in 2.93.0.

1 issue left for the package maintainer to handle:

CVE-2025-48938: (needs triaging) go-gh is a collection of Go modules to make authoring GitHub CLI extensions easier. A security vulnerability has been identified in versions prior to 2.12.1 where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing. In `2.12.1`, `Browser.Browse()` has been enhanced to allow and disallow a variety of scenarios to avoid opening or executing files on the filesystem without unduly impacting HTTP URLs. No known workarounds are available other than upgrading.

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-05-30 Last update: 2026-06-01 09:01

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.6.2).

Created: 2024-04-07 Last update: 2026-03-31 15:01

news

[rss feed]

[2025-03-05] golang-github-cli-go-gh 1.2.1-2 MIGRATED to testing (Debian testing watch)
[2025-03-02] Accepted golang-github-cli-go-gh 1.2.1-2 (source) into unstable (Jochen Sprickerhof)
[2023-07-06] golang-github-cli-go-gh 1.2.1-1 MIGRATED to testing (Debian testing watch)
[2023-07-03] Accepted golang-github-cli-go-gh 1.2.1-1 (source) into unstable (Anthony Fok)
[2023-01-28] golang-github-cli-go-gh 1.0.0-1 MIGRATED to testing (Debian testing watch)
[2023-01-25] Accepted golang-github-cli-go-gh 1.0.0-1 (source) into unstable (Anthony Fok)
[2022-10-25] Accepted golang-github-cli-go-gh 0.1.2-1~bpo11+1 (source) into bullseye-backports (Anthony Fok)
[2022-10-23] golang-github-cli-go-gh 0.1.2-1 MIGRATED to testing (Debian testing watch)
[2022-10-21] Accepted golang-github-cli-go-gh 0.1.2-1 (source) into unstable (Anthony Fok)
[2022-10-01] golang-github-cli-go-gh 0.1.0+git20220919.802b578-1 MIGRATED to testing (Debian testing watch)
[2022-09-28] Accepted golang-github-cli-go-gh 0.1.0+git20220919.802b578-1 (source) into unstable (Anthony Fok)
[2022-09-07] golang-github-cli-go-gh 0.1.0+git20220825.34c1b91-1 MIGRATED to testing (Debian testing watch)
[2022-09-05] Accepted golang-github-cli-go-gh 0.1.0+git20220825.34c1b91-1 (source) into unstable (Anthony Fok)
[2022-08-30] golang-github-cli-go-gh 0.1.0-1 MIGRATED to testing (Debian testing watch)
[2022-08-14] Accepted golang-github-cli-go-gh 0.1.0-1 (source) into unstable (Anthony Fok)
[2022-08-13] golang-github-cli-go-gh 0.0.3+git20220623.91ca4ef-2 MIGRATED to testing (Debian testing watch)
[2022-08-10] Accepted golang-github-cli-go-gh 0.0.3+git20220623.91ca4ef-2 (source) into unstable (Anthony Fok)
[2022-07-19] Accepted golang-github-cli-go-gh 0.0.3+git20220623.91ca4ef-1 (source) into unstable (Anthony Fok)
[2022-06-20] golang-github-cli-go-gh 0.0.3+git20220614.ef2bca9-1 MIGRATED to testing (Debian testing watch)
[2022-06-20] golang-github-cli-go-gh 0.0.3+git20220614.ef2bca9-1 MIGRATED to testing (Debian testing watch)
[2022-06-17] Accepted golang-github-cli-go-gh 0.0.3+git20220614.ef2bca9-1 (source) into unstable (Anthony Fok)
[2022-06-14] Accepted golang-github-cli-go-gh 0.0.3-1 (source all) into unstable, unstable (Debian FTP Masters) (signed by: Anthony Fok)

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.2.1-2