Debian Package Tracker
Register | Log in
Subscribe

golang-oras-oras-go

ORAS Go library

Choose email to subscribe with

general
  • source: golang-oras-oras-go (main)
  • version: 2.6.0-1
  • maintainer: Debian Go Packaging Team (DMD)
  • uploaders: Andreas Tille [DMD] – Nilesh Patra [DMD]
  • arch: all
  • std-ver: 4.7.2
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • oldstable: 1.1.1-1
  • stable: 2.5.0-1
  • testing: 2.6.0-1
  • unstable: 2.6.0-1
versioned links
  • 1.1.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.5.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.6.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • golang-oras-oras-go-dev
action needed
4 security issues in trixie high

There are 4 open security issues in trixie.

4 important issues:
  • CVE-2026-48978: oras-go is a Go library for managing OCI artifacts. Prior to 2.6.1, auth.Client follows the realm URL from a registry's WWW-Authenticate: Bearer challenge without validating the scheme or host, allowing a malicious or compromised registry to cause SSRF to internal networks such as http://169.254.169.254/, http://10.0.0.x/, and http://127.0.0.1/, or to downgrade a registry contacted over https:// to an http:// token endpoint in registry/remote/auth/client.go through Client.Do(), Client.fetchBearerToken(), fetchDistributionToken, and fetchOAuth2Token. This issue is fixed in version 2.6.1.
  • CVE-2026-50151: oras-go is a Go library for managing OCI artifacts. Prior to 2.6.1, registry/remote/repository.go in blobStore.completePushAfterInitialPost follows a registry-controlled Location header during monolithic blob upload and reuses the Authorization header from the initial POST request for the subsequent PUT request, allowing a malicious registry to return a cross-host Location and receive the caller's credentials at an attacker-controlled endpoint. This issue is fixed in version 2.6.1.
  • CVE-2026-50162: oras-go is a Go library for managing OCI artifacts. Prior to 2.6.1, resolveWritePath() in content/file/file.go uses a lexical filepath.Rel check for workingDir and does not account for symlink traversal, so when AllowPathTraversalOnWrite=false an attacker-controlled blob title through ocispec.AnnotationTitle such as out/pwn.txt can follow a workingDir symlink out -> /some/outside/dir and cause pushFile() to create /some/outside/dir/pwn.txt outside workingDir. This issue is fixed in version 2.6.1.
  • CVE-2026-50163: oras-go is a Go library for managing OCI artifacts. Prior to 2.6.2, ensureLinkPath in content/file/utils.go:262-275 validates a hardlink target relative to the extract base but returns the unresolved target, causing os.Link("victim.secret", "<extract_base>/payload.tar.gz/evil_cwd_link") to resolve header.Linkname against the process current working directory for a Typeflag=TypeLink entry such as Name=payload.tar.gz/evil_cwd_link and Linkname="victim.secret" with io.deis.oras.content.unpack: "true", which can expose or tamper with files such as .env, .git/config, .aws/credentials, and ~/.ssh/config. This issue is fixed in version 2.6.2.
Created: 2026-07-18 Last update: 2026-07-18 17:30
4 security issues in sid high

There are 4 open security issues in sid.

4 important issues:
  • CVE-2026-48978: oras-go is a Go library for managing OCI artifacts. Prior to 2.6.1, auth.Client follows the realm URL from a registry's WWW-Authenticate: Bearer challenge without validating the scheme or host, allowing a malicious or compromised registry to cause SSRF to internal networks such as http://169.254.169.254/, http://10.0.0.x/, and http://127.0.0.1/, or to downgrade a registry contacted over https:// to an http:// token endpoint in registry/remote/auth/client.go through Client.Do(), Client.fetchBearerToken(), fetchDistributionToken, and fetchOAuth2Token. This issue is fixed in version 2.6.1.
  • CVE-2026-50151: oras-go is a Go library for managing OCI artifacts. Prior to 2.6.1, registry/remote/repository.go in blobStore.completePushAfterInitialPost follows a registry-controlled Location header during monolithic blob upload and reuses the Authorization header from the initial POST request for the subsequent PUT request, allowing a malicious registry to return a cross-host Location and receive the caller's credentials at an attacker-controlled endpoint. This issue is fixed in version 2.6.1.
  • CVE-2026-50162: oras-go is a Go library for managing OCI artifacts. Prior to 2.6.1, resolveWritePath() in content/file/file.go uses a lexical filepath.Rel check for workingDir and does not account for symlink traversal, so when AllowPathTraversalOnWrite=false an attacker-controlled blob title through ocispec.AnnotationTitle such as out/pwn.txt can follow a workingDir symlink out -> /some/outside/dir and cause pushFile() to create /some/outside/dir/pwn.txt outside workingDir. This issue is fixed in version 2.6.1.
  • CVE-2026-50163: oras-go is a Go library for managing OCI artifacts. Prior to 2.6.2, ensureLinkPath in content/file/utils.go:262-275 validates a hardlink target relative to the extract base but returns the unresolved target, causing os.Link("victim.secret", "<extract_base>/payload.tar.gz/evil_cwd_link") to resolve header.Linkname against the process current working directory for a Typeflag=TypeLink entry such as Name=payload.tar.gz/evil_cwd_link and Linkname="victim.secret" with io.deis.oras.content.unpack: "true", which can expose or tamper with files such as .env, .git/config, .aws/credentials, and ~/.ssh/config. This issue is fixed in version 2.6.2.
Created: 2026-07-18 Last update: 2026-07-18 17:30
4 security issues in forky high

There are 4 open security issues in forky.

4 important issues:
  • CVE-2026-48978: oras-go is a Go library for managing OCI artifacts. Prior to 2.6.1, auth.Client follows the realm URL from a registry's WWW-Authenticate: Bearer challenge without validating the scheme or host, allowing a malicious or compromised registry to cause SSRF to internal networks such as http://169.254.169.254/, http://10.0.0.x/, and http://127.0.0.1/, or to downgrade a registry contacted over https:// to an http:// token endpoint in registry/remote/auth/client.go through Client.Do(), Client.fetchBearerToken(), fetchDistributionToken, and fetchOAuth2Token. This issue is fixed in version 2.6.1.
  • CVE-2026-50151: oras-go is a Go library for managing OCI artifacts. Prior to 2.6.1, registry/remote/repository.go in blobStore.completePushAfterInitialPost follows a registry-controlled Location header during monolithic blob upload and reuses the Authorization header from the initial POST request for the subsequent PUT request, allowing a malicious registry to return a cross-host Location and receive the caller's credentials at an attacker-controlled endpoint. This issue is fixed in version 2.6.1.
  • CVE-2026-50162: oras-go is a Go library for managing OCI artifacts. Prior to 2.6.1, resolveWritePath() in content/file/file.go uses a lexical filepath.Rel check for workingDir and does not account for symlink traversal, so when AllowPathTraversalOnWrite=false an attacker-controlled blob title through ocispec.AnnotationTitle such as out/pwn.txt can follow a workingDir symlink out -> /some/outside/dir and cause pushFile() to create /some/outside/dir/pwn.txt outside workingDir. This issue is fixed in version 2.6.1.
  • CVE-2026-50163: oras-go is a Go library for managing OCI artifacts. Prior to 2.6.2, ensureLinkPath in content/file/utils.go:262-275 validates a hardlink target relative to the extract base but returns the unresolved target, causing os.Link("victim.secret", "<extract_base>/payload.tar.gz/evil_cwd_link") to resolve header.Linkname against the process current working directory for a Typeflag=TypeLink entry such as Name=payload.tar.gz/evil_cwd_link and Linkname="victim.secret" with io.deis.oras.content.unpack: "true", which can expose or tamper with files such as .env, .git/config, .aws/credentials, and ~/.ssh/config. This issue is fixed in version 2.6.2.
Created: 2026-07-18 Last update: 2026-07-18 17:30
4 security issues in bookworm high

There are 4 open security issues in bookworm.

4 important issues:
  • CVE-2026-48978: oras-go is a Go library for managing OCI artifacts. Prior to 2.6.1, auth.Client follows the realm URL from a registry's WWW-Authenticate: Bearer challenge without validating the scheme or host, allowing a malicious or compromised registry to cause SSRF to internal networks such as http://169.254.169.254/, http://10.0.0.x/, and http://127.0.0.1/, or to downgrade a registry contacted over https:// to an http:// token endpoint in registry/remote/auth/client.go through Client.Do(), Client.fetchBearerToken(), fetchDistributionToken, and fetchOAuth2Token. This issue is fixed in version 2.6.1.
  • CVE-2026-50151: oras-go is a Go library for managing OCI artifacts. Prior to 2.6.1, registry/remote/repository.go in blobStore.completePushAfterInitialPost follows a registry-controlled Location header during monolithic blob upload and reuses the Authorization header from the initial POST request for the subsequent PUT request, allowing a malicious registry to return a cross-host Location and receive the caller's credentials at an attacker-controlled endpoint. This issue is fixed in version 2.6.1.
  • CVE-2026-50162: oras-go is a Go library for managing OCI artifacts. Prior to 2.6.1, resolveWritePath() in content/file/file.go uses a lexical filepath.Rel check for workingDir and does not account for symlink traversal, so when AllowPathTraversalOnWrite=false an attacker-controlled blob title through ocispec.AnnotationTitle such as out/pwn.txt can follow a workingDir symlink out -> /some/outside/dir and cause pushFile() to create /some/outside/dir/pwn.txt outside workingDir. This issue is fixed in version 2.6.1.
  • CVE-2026-50163: oras-go is a Go library for managing OCI artifacts. Prior to 2.6.2, ensureLinkPath in content/file/utils.go:262-275 validates a hardlink target relative to the extract base but returns the unresolved target, causing os.Link("victim.secret", "<extract_base>/payload.tar.gz/evil_cwd_link") to resolve header.Linkname against the process current working directory for a Typeflag=TypeLink entry such as Name=payload.tar.gz/evil_cwd_link and Linkname="victim.secret" with io.deis.oras.content.unpack: "true", which can expose or tamper with files such as .env, .git/config, .aws/credentials, and ~/.ssh/config. This issue is fixed in version 2.6.2.
Created: 2026-07-18 Last update: 2026-07-18 17:30
A new upstream version is available: 3.0.2-dev high
A new upstream version 3.0.2-dev is available, you should consider packaging it.
Created: 2026-03-14 Last update: 2026-07-18 15:02
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.2).
Created: 2025-12-23 Last update: 2026-03-31 15:01
news
[rss feed]
  • [2025-10-22] golang-oras-oras-go 2.6.0-1 MIGRATED to testing (Debian testing watch)
  • [2025-10-19] Accepted golang-oras-oras-go 2.6.0-1 (source) into unstable (Nilesh Patra)
  • [2024-06-21] golang-oras-oras-go 2.5.0-1 MIGRATED to testing (Debian testing watch)
  • [2024-06-18] Accepted golang-oras-oras-go 2.5.0-1 (source) into unstable (Nilesh Patra)
  • [2022-04-30] golang-oras-oras-go 1.1.1-1 MIGRATED to testing (Debian testing watch)
  • [2022-04-27] Accepted golang-oras-oras-go 1.1.1-1 (source) into unstable (Nilesh Patra)
  • [2022-02-24] golang-oras-oras-go 1.1.0-2 MIGRATED to testing (Debian testing watch)
  • [2022-02-22] Accepted golang-oras-oras-go 1.1.0-2 (source) into unstable (Andreas Tille)
  • [2022-02-21] Accepted golang-oras-oras-go 1.1.0-1 (source all) into unstable, unstable (Debian FTP Masters) (signed by: Andreas Tille)
bugs [bug history graph]
  • all: 0
links
  • homepage
  • lintian
  • buildd: logs, reproducibility
  • popcon
  • browse source code
  • other distros
  • security tracker
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 2.6.0-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing