golang-github-sigstore-fulcio - Debian Package Tracker

A new upstream version is available: 1.8.3 high

A new upstream version 1.8.3 is available, you should consider packaging it.

Created: 2025-11-27 Last update: 2025-12-10 22:31

1 security issue in sid high

1 important issue:

CVE-2025-66506: Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This vulnerability is fixed in 1.8.3.

Created: 2025-12-06 Last update: 2025-12-07 19:00

1 security issue in forky high

1 important issue:

CVE-2025-66506: Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This vulnerability is fixed in 1.8.3.

Created: 2025-12-06 Last update: 2025-12-07 19:00

1 low-priority security issue in trixie low

1 issue left for the package maintainer to handle:

CVE-2025-66506: (needs triaging) Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This vulnerability is fixed in 1.8.3.

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-12-06 Last update: 2025-12-07 19:00