Skip to content

fix(deps): update module github.com/sigstore/timestamp-authority to v2 [security] (alauda-v2.5.3)#18

Closed
alaudaa-renovate[bot] wants to merge 1 commit into
alauda-v2.5.3from
renovate/alauda-v2.5.3-go-github.com-sigstore-timestamp-authority-vulnerability
Closed

fix(deps): update module github.com/sigstore/timestamp-authority to v2 [security] (alauda-v2.5.3)#18
alaudaa-renovate[bot] wants to merge 1 commit into
alauda-v2.5.3from
renovate/alauda-v2.5.3-go-github.com-sigstore-timestamp-authority-vulnerability

Conversation

@alaudaa-renovate

@alaudaa-renovate alaudaa-renovate Bot commented Jan 18, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
github.com/sigstore/timestamp-authority v1.2.9 -> v2.0.3 age confidence

GitHub Vulnerability Alerts

CVE-2025-66564

Impact

Excessive memory allocation

Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string.

As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Patches

Upgrade to v2.0.3.

Workarounds

There are no workarounds with the service itself. If the service is behind a load balancer, configure the load balancer to reject excessively large requests.

Sigstore Timestamp Authority allocates excessive memory during request parsing

CVE-2025-66564 / GHSA-4qg8-fj49-pxjh / GO-2025-4192

More information

Details

Impact

Excessive memory allocation

Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string.

As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Patches

Upgrade to v2.0.3.

Workarounds

There are no workarounds with the service itself. If the service is behind a load balancer, configure the load balancer to reject excessively large requests.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

sigstore/timestamp-authority (github.com/sigstore/timestamp-authority)

v2.0.3

Compare Source

Vulnerability Fixes

v2.0.2

Compare Source

This release bumps the Go version to 1.25.

v2.0.1

Compare Source

This release is identical to v2.0.0, as it only contains a fix for the release pipeline.

v2.0.0

Compare Source

v2.0.0 changes the default HTTP response code to 200 for timestamp responses,
which matches all other well-known TSA implementations. Sigstore clients already
handle both 200 and 201 response codes, so no changes are needed to clients.

If you need backwards compatibility, you can deploy the service with
--use-http-201.

This release also changes the format of the binary and container signature,
which is now a Sigstore bundle.
To verify a release, use the latest Cosign 3.x, verifying with
cosign verify-blob --bundle <artifact>-keyless.sigstore.json <artifact>.

Features

  • changes default HTTP response code to 200 for timestamp responses (#​1202)
  • feat: add configurable max request body size for TSA server (#​1176)

Testing

  • test: Add a K6 loadtest

Documentation

  • Minor improvements to documentation (#​1169)

Misc

  • (fix): minor gosec issues under x509.go (#​1201)

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@alaudabot

alaudabot commented Jan 18, 2026
edited
Loading

Copy link
Copy Markdown

🤖 AI Code Review

Property Value
Model mistralai/devstral-2512:free
Style strict
Issues Found 0
Warnings/Errors 0
Personalized Prompt ❌ No
Reviewed at 2026-01-27 09:45:06 UTC

Summary

This PR updates the github.com/sigstore/timestamp-authority module from v1.2.9 to v2.0.3. The update is marked as a security fix, indicating it addresses potential vulnerabilities in the dependency. The changes are minimal and focused, affecting only the go.mod and go.sum files.

Review Statistics

Category Count
Critical Issues 0
Warnings 0
Suggestions 0
Files Reviewed 2

Critical Issues

Issues that MUST be addressed before merging (security, bugs, breaking changes)

None identified.

Warnings

Issues that SHOULD be addressed but are not blocking

None identified.

Suggestions

Recommendations for improvement (nice to have)

None identified.

Positive Feedback

  • The PR is well-focused and addresses a security concern by updating a dependency to a newer major version.
  • The changes are minimal and do not introduce unnecessary modifications to the codebase.
  • The update includes the necessary checksums in go.sum, ensuring the integrity of the new dependency.
ℹ️ About this review

This review was automatically generated using the run-actions workflow.

@alaudaa-renovate alaudaa-renovate Bot force-pushed the renovate/alauda-v2.5.3-go-github.com-sigstore-timestamp-authority-vulnerability branch from b46468d to 0225a21 Compare January 27, 2026 09:42
@l-qing l-qing closed this Feb 1, 2026
@alaudaa-renovate

alaudaa-renovate Bot commented Feb 1, 2026

Copy link
Copy Markdown
Author

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 2.x releases. But if you manually upgrade to 2.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@alaudaa-renovate alaudaa-renovate Bot deleted the renovate/alauda-v2.5.3-go-github.com-sigstore-timestamp-authority-vulnerability branch February 1, 2026 06:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@yuzichen12123 yuzichen12123

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alaudabot @l-qing @yuzichen12123