Skip to content

chore(deps): update module github.com/sigstore/timestamp-authority to v2 [security] #240

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update module github.com/sigstore/timestamp-authority to v2 [security] #240

renovate wants to merge 1 commit into from
+257 −224

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Dec 22, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/sigstore/timestamp-authority v1.2.8 -> v2.0.3 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-66564

Impact

Excessive memory allocation

Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string.

As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Patches

Upgrade to v2.0.3.

Workarounds

There are no workarounds with the service itself. If the service is behind a load balancer, configure the load balancer to reject excessively large requests.

Sigstore Timestamp Authority allocates excessive memory during request parsing

CVE-2025-66564 / GHSA-4qg8-fj49-pxjh / GO-2025-4192

More information

Details

Impact

Excessive memory allocation

Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string.

As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Patches

Upgrade to v2.0.3.

Workarounds

There are no workarounds with the service itself. If the service is behind a load balancer, configure the load balancer to reject excessively large requests.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

sigstore/timestamp-authority (github.com/sigstore/timestamp-authority)

v2.0.3

Compare Source

Vulnerability Fixes

v2.0.2

Compare Source

This release bumps the Go version to 1.25.

v2.0.1

Compare Source

This release is identical to v2.0.0, as it only contains a fix for the release pipeline.

v2.0.0

Compare Source

v2.0.0 changes the default HTTP response code to 200 for timestamp responses,
which matches all other well-known TSA implementations. Sigstore clients already
handle both 200 and 201 response codes, so no changes are needed to clients.

If you need backwards compatibility, you can deploy the service with
--use-http-201.

This release also changes the format of the binary and container signature,
which is now a Sigstore bundle.
To verify a release, use the latest Cosign 3.x, verifying with
cosign verify-blob --bundle <artifact>-keyless.sigstore.json <artifact>.

Features

  • changes default HTTP response code to 200 for timestamp responses (#​1202)
  • feat: add configurable max request body size for TSA server (#​1176)

Testing

  • test: Add a K6 loadtest

Documentation

  • Minor improvements to documentation (#​1169)

Misc

  • (fix): minor gosec issues under x509.go (#​1201)

v1.2.9

Compare Source

  • logging: Don't use Error when logging 4xx responses (#​1159)
  • add feature to disable intermediate cert EKU enforcement (#​1146)
  • add documentation for AWS KMS example (#​1094)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner December 22, 2025 17:22
@renovate
Copy link
Contributor Author

renovate bot commented Dec 22, 2025

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 64 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.24.0 -> 1.25.0
cloud.google.com/go/auth v0.16.2 -> v0.17.0
cloud.google.com/go/compute/metadata v0.7.0 -> v0.9.0
cloud.google.com/go/kms v1.22.0 -> v1.23.2
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 -> v1.20.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1 -> v1.13.1
github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 -> v1.11.2
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1 -> v1.4.0
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 -> v1.2.0
github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 -> v1.6.0
github.com/aws/aws-sdk-go-v2/config v1.31.19 -> v1.31.20
github.com/aws/aws-sdk-go-v2/credentials v1.18.23 -> v1.18.24
github.com/aws/aws-sdk-go-v2/service/kms v1.41.0 -> v1.48.2
github.com/aws/aws-sdk-go-v2/service/sso v1.30.2 -> v1.30.3
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.6 -> v1.35.7
github.com/aws/aws-sdk-go-v2/service/sts v1.40.1 -> v1.40.2
github.com/coreos/go-oidc/v3 v3.14.1 -> v3.16.0
github.com/gabriel-vasile/mimetype v1.4.8 -> v1.4.10
github.com/go-jose/go-jose/v4 v4.1.2 -> v4.1.3
github.com/go-openapi/analysis v0.23.0 -> v0.24.1
github.com/go-openapi/errors v0.22.1 -> v0.22.4
github.com/go-openapi/jsonpointer v0.21.1 -> v0.22.1
github.com/go-openapi/jsonreference v0.21.0 -> v0.21.3
github.com/go-openapi/loads v0.22.0 -> v0.23.2
github.com/go-openapi/runtime v0.28.0 -> v0.29.2
github.com/go-openapi/spec v0.21.0 -> v0.22.1
github.com/go-openapi/strfmt v0.23.0 -> v0.25.0
github.com/go-openapi/swag v0.23.1 -> v0.25.4
github.com/go-playground/validator/v10 v10.27.0 -> v10.28.0
github.com/golang-jwt/jwt/v5 v5.2.2 -> v5.3.0
github.com/googleapis/enterprise-certificate-proxy v0.3.6 -> v0.3.7
github.com/googleapis/gax-go/v2 v2.14.2 -> v2.15.0
github.com/jellydator/ttlcache/v3 v3.3.0 -> v3.4.0
github.com/prometheus/client_golang v1.22.0 -> v1.23.2
github.com/prometheus/common v0.64.0 -> v0.66.1
github.com/sagikazarmark/locafero v0.9.0 -> v0.11.0
github.com/secure-systems-lab/go-securesystemslib v0.9.0 -> v0.9.1
github.com/sigstore/protobuf-specs v0.4.3 -> v0.5.0
github.com/sigstore/sigstore v1.9.5 -> v1.10.0
github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 -> v1.10.0
github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.5 -> v1.10.0
github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.5 -> v1.10.0
github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.9.5 -> v1.10.0
github.com/sourcegraph/conc v0.3.0 -> v0.3.1-0.20240121214520-5f936abd7ae8
github.com/spf13/afero v1.14.0 -> v1.15.0
github.com/spf13/cast v1.9.2 -> v1.10.0
github.com/spf13/cobra v1.9.1 -> v1.10.2
github.com/spf13/pflag v1.0.7 -> v1.0.10
github.com/spf13/viper v1.20.1 -> v1.21.0
go.mongodb.org/mongo-driver v1.17.3 -> v1.17.6
go.opentelemetry.io/auto/sdk v1.1.0 -> v1.2.1
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 -> v0.63.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 -> v0.63.0
go.uber.org/mock v0.5.2 -> v0.6.0
go.uber.org/zap v1.27.0 -> v1.27.1
golang.org/x/crypto v0.44.0 -> v0.45.0
golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 -> v0.0.0-20250620022241-b7579e27df2b
golang.org/x/oauth2 v0.30.0 -> v0.33.0
golang.org/x/time v0.12.0 -> v0.14.0
google.golang.org/api v0.242.0 -> v0.256.0
google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2 -> v0.0.0-20250603155806-513f23925822
k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e -> v0.0.0-20250820121507-0af2bda4dd1d
sigs.k8s.io/release-utils v0.11.1 -> v0.12.2
sigs.k8s.io/yaml v1.4.0 -> v1.6.0
google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 -> v0.0.0-20251103181224-f26f9409b101

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

CVE security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant