Skip to content

chore(deps): update module github.com/sigstore/sigstore-go to v1.2.0 [security] (main)#186

Open
crossplane-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-go-github.com-sigstore-sigstore-go-vulnerability
Open

chore(deps): update module github.com/sigstore/sigstore-go to v1.2.0 [security] (main)#186
crossplane-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-go-github.com-sigstore-sigstore-go-vulnerability

Conversation

@crossplane-renovate

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
github.com/sigstore/sigstore-go v1.1.4v1.2.0 age confidence

sigstore-go has a multi-log threshold bypass via single compromised log

CVE-2026-49834 / GHSA-9vcr-p3rj-q5q6

More information

Details

Impact

What kind of vulnerability is it? Who is impacted?

A verifier configured with WithTransparencyLog(N>1) or WithSignedCertificateTimestamps(N>1) expected defense-in-depth against the compromise of a single log instance. However, threshold counting counted verified witnesses per-entry or per-validation-path rather than per-log-authority.

As a result, a single compromised transparency log could forge multiple entries with different indices, and a single compromised CT log could verify multiple times (either across multiple certificate chains or via multiple embedded SCTs), fully satisfying the multi-log threshold requirements and defeating the multi-log policy.

Note that this does not affect Cosign, as Cosign sets a threshold of 1.

Patches

Has the problem been patched? What versions should users upgrade to?

Upgrade to v1.1.5.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

There is no workaround, beyond relying on trusted logs.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

sigstore/sigstore-go (github.com/sigstore/sigstore-go)

v1.2.0

Compare Source

What's Changed

New Contributors

Full Changelog: sigstore/sigstore-go@v1.1.4...v1.2.0


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@crossplane-renovate crossplane-renovate Bot requested review from a team, jcogilvie and tampakrap as code owners July 10, 2026 09:04
@crossplane-renovate crossplane-renovate Bot requested review from haarchri and removed request for a team July 10, 2026 09:04
@crossplane-renovate

Copy link
Copy Markdown
Contributor Author

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 37 additional dependencies were updated

Details:

Package Change
github.com/aws/aws-sdk-go-v2 v1.41.6 -> v1.41.7
github.com/aws/aws-sdk-go-v2/config v1.32.14 -> v1.32.17
github.com/aws/aws-sdk-go-v2/credentials v1.19.14 -> v1.19.16
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21 -> v1.18.23
github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.22 -> v1.4.23
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.22 -> v2.7.23
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 -> v1.13.9
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21 -> v1.13.23
github.com/aws/aws-sdk-go-v2/service/signin v1.0.9 -> v1.0.11
github.com/aws/aws-sdk-go-v2/service/sso v1.30.15 -> v1.30.17
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.19 -> v1.35.21
github.com/aws/aws-sdk-go-v2/service/sts v1.41.10 -> v1.42.1
github.com/aws/smithy-go v1.25.0 -> v1.25.1
github.com/go-chi/chi/v5 v5.2.5 -> v5.3.0
github.com/go-openapi/analysis v0.25.0 -> v0.25.2
github.com/go-openapi/jsonpointer v0.22.5 -> v0.23.1
github.com/go-openapi/jsonreference v0.21.5 -> v0.21.6
github.com/go-openapi/runtime v0.29.4 -> v0.32.3
github.com/go-openapi/spec v0.22.4 -> v0.22.5
github.com/go-openapi/strfmt v0.26.2 -> v0.26.3
github.com/go-openapi/validate v0.25.2 -> v0.25.3
github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 -> v2.29.0
github.com/in-toto/attestation v1.1.2 -> v1.2.0
github.com/letsencrypt/boulder v0.20260223.0 -> v0.20260309.0
github.com/prometheus/procfs v0.19.2 -> v0.20.1
github.com/sigstore/rekor-tiles/v2 v2.2.1 -> v2.2.2-0.20260601073857-5d098a2b6443
github.com/sigstore/sigstore v1.10.6 -> v1.10.8
github.com/sigstore/timestamp-authority/v2 v2.0.6 -> v2.1.2
github.com/theupdateframework/go-tuf/v2 v2.4.1 -> v2.4.2-0.20260407074541-7e8f69f906ef
github.com/transparency-dev/formats v0.0.0-20251208091212-1378f9e1b1b7 -> v0.1.1
go.opentelemetry.io/otel v1.43.0 -> v1.44.0
go.opentelemetry.io/otel/metric v1.43.0 -> v1.44.0
go.opentelemetry.io/otel/sdk v1.43.0 -> v1.44.0
go.opentelemetry.io/otel/trace v1.43.0 -> v1.44.0
go.yaml.in/yaml/v2 v2.4.3 -> v2.4.4
google.golang.org/genproto/googleapis/api v0.0.0-20260427160629-7cedc36a6bc4 -> v0.0.0-20260526163538-3dc84a4a5aaa
google.golang.org/genproto/googleapis/rpc v0.0.0-20260427160629-7cedc36a6bc4 -> v0.0.0-20260523011958-0a33c5d7ca68

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants