Skip to content

chore(deps): update module github.com/sigstore/sigstore-go to v1.2.0 [security] (release-2.4)#188

Open
crossplane-renovate[bot] wants to merge 1 commit into
release-2.4from
renovate/release-2.4-go-github.com-sigstore-sigstore-go-vulnerability
Open

chore(deps): update module github.com/sigstore/sigstore-go to v1.2.0 [security] (release-2.4)#188
crossplane-renovate[bot] wants to merge 1 commit into
release-2.4from
renovate/release-2.4-go-github.com-sigstore-sigstore-go-vulnerability

Conversation

@crossplane-renovate

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
github.com/sigstore/sigstore-go v1.1.4v1.2.0 age confidence

sigstore-go has a multi-log threshold bypass via single compromised log

CVE-2026-49834 / GHSA-9vcr-p3rj-q5q6

More information

Details

Impact

What kind of vulnerability is it? Who is impacted?

A verifier configured with WithTransparencyLog(N>1) or WithSignedCertificateTimestamps(N>1) expected defense-in-depth against the compromise of a single log instance. However, threshold counting counted verified witnesses per-entry or per-validation-path rather than per-log-authority.

As a result, a single compromised transparency log could forge multiple entries with different indices, and a single compromised CT log could verify multiple times (either across multiple certificate chains or via multiple embedded SCTs), fully satisfying the multi-log threshold requirements and defeating the multi-log policy.

Note that this does not affect Cosign, as Cosign sets a threshold of 1.

Patches

Has the problem been patched? What versions should users upgrade to?

Upgrade to v1.1.5.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

There is no workaround, beyond relying on trusted logs.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

sigstore/sigstore-go (github.com/sigstore/sigstore-go)

v1.2.0

Compare Source

What's Changed

New Contributors

Full Changelog: sigstore/sigstore-go@v1.1.4...v1.2.0


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@crossplane-renovate

Copy link
Copy Markdown
Contributor Author

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 37 additional dependencies were updated

Details:

Package Change
github.com/aws/aws-sdk-go-v2 v1.41.6 -> v1.41.7
github.com/aws/aws-sdk-go-v2/config v1.32.14 -> v1.32.17
github.com/aws/aws-sdk-go-v2/credentials v1.19.14 -> v1.19.16
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21 -> v1.18.23
github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.22 -> v1.4.23
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.22 -> v2.7.23
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 -> v1.13.9
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21 -> v1.13.23
github.com/aws/aws-sdk-go-v2/service/signin v1.0.9 -> v1.0.11
github.com/aws/aws-sdk-go-v2/service/sso v1.30.15 -> v1.30.17
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.19 -> v1.35.21
github.com/aws/aws-sdk-go-v2/service/sts v1.41.10 -> v1.42.1
github.com/aws/smithy-go v1.25.0 -> v1.25.1
github.com/go-chi/chi/v5 v5.2.5 -> v5.3.0
github.com/go-openapi/analysis v0.25.0 -> v0.25.2
github.com/go-openapi/jsonpointer v0.22.5 -> v0.23.1
github.com/go-openapi/jsonreference v0.21.5 -> v0.21.6
github.com/go-openapi/runtime v0.29.4 -> v0.32.3
github.com/go-openapi/spec v0.22.4 -> v0.22.5
github.com/go-openapi/strfmt v0.26.2 -> v0.26.3
github.com/go-openapi/validate v0.25.2 -> v0.25.3
github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 -> v2.29.0
github.com/in-toto/attestation v1.1.2 -> v1.2.0
github.com/letsencrypt/boulder v0.20260223.0 -> v0.20260309.0
github.com/prometheus/procfs v0.19.2 -> v0.20.1
github.com/sigstore/rekor-tiles/v2 v2.2.1 -> v2.2.2-0.20260601073857-5d098a2b6443
github.com/sigstore/sigstore v1.10.6 -> v1.10.8
github.com/sigstore/timestamp-authority/v2 v2.0.6 -> v2.1.2
github.com/theupdateframework/go-tuf/v2 v2.4.1 -> v2.4.2-0.20260407074541-7e8f69f906ef
github.com/transparency-dev/formats v0.0.0-20251208091212-1378f9e1b1b7 -> v0.1.1
go.opentelemetry.io/otel v1.43.0 -> v1.44.0
go.opentelemetry.io/otel/metric v1.43.0 -> v1.44.0
go.opentelemetry.io/otel/sdk v1.43.0 -> v1.44.0
go.opentelemetry.io/otel/trace v1.43.0 -> v1.44.0
go.yaml.in/yaml/v2 v2.4.3 -> v2.4.4
google.golang.org/genproto/googleapis/api v0.0.0-20260427160629-7cedc36a6bc4 -> v0.0.0-20260526163538-3dc84a4a5aaa
google.golang.org/genproto/googleapis/rpc v0.0.0-20260427160629-7cedc36a6bc4 -> v0.0.0-20260523011958-0a33c5d7ca68

@crossplane-renovate crossplane-renovate Bot requested a review from a team as a code owner July 10, 2026 09:05
@crossplane-renovate crossplane-renovate Bot requested review from phisco and removed request for a team July 10, 2026 09:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants