GO-2024-3166 Incorrect delegation lookups can make go-tuf download the wrong artifact in github.com/theupdateframework/go-tuf

Incorrect delegation lookups can make go-tuf download the wrong artifact in github.com/theupdateframework/go-tuf...

notation-go's verification bypass can cause users to verify the wrong artifact

Impact An attacker who controls or compromises a registry can lead a user to verify the wrong artifact. Patches The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Workarounds User should use secure and trusted container...