Skip to content

chore(deps): update module github.com/sigstore/timestamp-authority/v2 to v2.1.0 [security] (main)#174

Open
crossplane-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-go-github.com-sigstore-timestamp-authority-v2-vulnerability
Open

chore(deps): update module github.com/sigstore/timestamp-authority/v2 to v2.1.0 [security] (main)#174
crossplane-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-go-github.com-sigstore-timestamp-authority-v2-vulnerability

Conversation

@crossplane-renovate

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
github.com/sigstore/timestamp-authority/v2 v2.0.6v2.1.0 age confidence

Sigstore Timestamp Authority has OOM due to unbounded metric label cardinality

CVE-2026-49835 / GHSA-9c54-x2g4-v92j

More information

Details

Impact

An unauthenticated remote attacker can trigger unbounded memory growth on the timestamp authority server.

This vulnerability exists because the global wrapMetrics middleware records the raw HTTP request path (r.URL.Path) and raw HTTP request method (r.Method) as Prometheus labels for latency and request count metric vectors. Since this middleware runs before standard routing occurs, it executes for all incoming requests, including those for unmatched paths (yielding 404 responses) or arbitrary request methods. The Prometheus library registers a new, permanent time-series entry for every distinct label combination. An attacker can continuously issue requests containing random paths (e.g., /api/v1/timestamp/<uuid>) or random HTTP methods to exhaust system memory.

Patches

This issue has been patched by limiting the metric label values to a strict allowlist of expected paths (/ping, /api/v1/timestamp, /api/v1/timestamp/certchain) and expected HTTP methods (GET, POST, HEAD, OPTIONS). Unrecognized paths or methods are normalized to a static string ("unrecognized").

Users should update to version v2.0.7 or later.

Workarounds
  1. Block or drop incoming requests with invalid HTTP methods or unknown request paths at a reverse proxy or load balancer before they reach the timestamp authority server.
  2. Configure rate-limiting on the public interface to prevent remote attackers from issuing millions of unique requests in a short duration.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Sigstore Timestamp Authority has OOM due to unbounded metric label cardinality

CVE-2026-49835 / GHSA-9c54-x2g4-v92j

More information

Details

Impact

An unauthenticated remote attacker can trigger unbounded memory growth on the timestamp authority server.

This vulnerability exists because the global wrapMetrics middleware records the raw HTTP request path (r.URL.Path) and raw HTTP request method (r.Method) as Prometheus labels for latency and request count metric vectors. Since this middleware runs before standard routing occurs, it executes for all incoming requests, including those for unmatched paths (yielding 404 responses) or arbitrary request methods. The Prometheus library registers a new, permanent time-series entry for every distinct label combination. An attacker can continuously issue requests containing random paths (e.g., /api/v1/timestamp/<uuid>) or random HTTP methods to exhaust system memory.

Patches

This issue has been patched by limiting the metric label values to a strict allowlist of expected paths (/ping, /api/v1/timestamp, /api/v1/timestamp/certchain) and expected HTTP methods (GET, POST, HEAD, OPTIONS). Unrecognized paths or methods are normalized to a static string ("unrecognized").

Users should update to version v2.0.7 or later.

Workarounds
  1. Block or drop incoming requests with invalid HTTP methods or unknown request paths at a reverse proxy or load balancer before they reach the timestamp authority server.
  2. Configure rate-limiting on the public interface to prevent remote attackers from issuing millions of unique requests in a short duration.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

sigstore/timestamp-authority (github.com/sigstore/timestamp-authority/v2)

v2.1.0

Compare Source

What's Changed

  • Bound path and HTTP method metric label cardinality to prevent OOM in #​1374
  • Fix spec violations in policy, EKU, and hash verification in #​1375

Full Changelog: sigstore/timestamp-authority@v2.0.6...v2.1.0


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@crossplane-renovate crossplane-renovate Bot requested review from a team, jcogilvie and tampakrap as code owners July 1, 2026 09:05
@crossplane-renovate crossplane-renovate Bot requested review from bobh66 and removed request for a team July 1, 2026 09:05
@crossplane-renovate crossplane-renovate Bot force-pushed the renovate/main-go-github.com-sigstore-timestamp-authority-v2-vulnerability branch from 35d89ab to 43b1347 Compare July 2, 2026 09:03
@crossplane-renovate

Copy link
Copy Markdown
Contributor Author

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 15 additional dependencies were updated

Details:

Package Change
github.com/aws/aws-sdk-go-v2 v1.41.6 -> v1.41.7
github.com/aws/aws-sdk-go-v2/config v1.32.14 -> v1.32.17
github.com/aws/aws-sdk-go-v2/credentials v1.19.14 -> v1.19.16
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21 -> v1.18.23
github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.22 -> v1.4.23
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.22 -> v2.7.23
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 -> v1.13.9
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21 -> v1.13.23
github.com/aws/aws-sdk-go-v2/service/signin v1.0.9 -> v1.0.11
github.com/aws/aws-sdk-go-v2/service/sso v1.30.15 -> v1.30.17
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.19 -> v1.35.21
github.com/aws/aws-sdk-go-v2/service/sts v1.41.10 -> v1.42.1
github.com/aws/smithy-go v1.25.0 -> v1.25.1
github.com/go-openapi/jsonpointer v0.22.5 -> v0.23.1
github.com/go-openapi/runtime v0.29.4 -> v0.31.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants