Bug#1122059: marked as done (golang-github-sigstore-fulcio: CVE-2025-66506)

[Debian Bug Tracking System]

Your message dated Fri, 20 Mar 2026 21:49:35 +0000
with message-id <e1w3hip-00000000cjx-1...@fasolo.debian.org>
and subject line Bug#1122059: fixed in golang-github-sigstore-fulcio 1.8.5-1
has caused the Debian Bug report #1122059,
regarding golang-github-sigstore-fulcio: CVE-2025-66506
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1122059: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122059
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: golang-github-sigstore-fulcio
Version: 1.7.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for golang-github-sigstore-fulcio.

CVE-2025-66506[0]:
| Fulcio is a free-to-use certificate authority for issuing code
| signing certificates for an OpenID Connect (OIDC) identity. Prior to
| 1.8.3, function identity.extractIssuerURL splits (via a call to
| strings.Split) its argument (which is untrusted data) on periods. As
| a result, in the face of a malicious request with an (invalid) OIDC
| identity token in the payload containing many period characters, a
| call to extractIssuerURL incurs allocations to the tune of O(n)
| bytes (where n stands for the length of the function's argument),
| with a constant factor of about 16. This vulnerability is fixed in
| 1.8.3.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-66506
    https://www.cve.org/CVERecord?id=CVE-2025-66506
[1] https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw
[2] 
https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: golang-github-sigstore-fulcio
Source-Version: 1.8.5-1
Done: Simon Josefsson <si...@josefsson.org>

We believe that the bug you reported is fixed in the latest version of
golang-github-sigstore-fulcio, which is due to be installed in the Debian FTP 
archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1122...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon Josefsson <si...@josefsson.org> (supplier of updated 
golang-github-sigstore-fulcio package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 20 Mar 2026 20:57:16 +0100
Source: golang-github-sigstore-fulcio
Architecture: source
Version: 1.8.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Simon Josefsson <si...@josefsson.org>
Closes: 1122059 1126750
Changes:
 golang-github-sigstore-fulcio (1.8.5-1) unstable; urgency=medium
 .
   * Team upload
   * New upstream release
     - Fix CVE-2025-66506 (Closes: #1122059)
     - Fix CVE-2026-22772 (Closes: #1126750)
   * Use gbp sign-tags and upstream-vcs-tag
   * Drop Priority: optional
   * Standards-Version: 4.7.3
   * Bump debian/* copyright years
   * Bump upstream copyright years debian/copyright
Checksums-Sha1:
 539fbfbcce97b79b6ee7c32db129c35e295688f3 2724 
golang-github-sigstore-fulcio_1.8.5-1.dsc
 2f854c1e4de5dd43afab98cade80c64d5591374b 988520 
golang-github-sigstore-fulcio_1.8.5.orig.tar.xz
 69d1c93142414f351a49e41297fe057ab2933ae4 3080 
golang-github-sigstore-fulcio_1.8.5-1.debian.tar.xz
 32c61d1ac4d143e675424c39e5742087c4f79120 1497128 
golang-github-sigstore-fulcio_1.8.5-1.git.tar.xz
 ffc8c261d9db5185e2df77b419a6afc642e95a9c 17419 
golang-github-sigstore-fulcio_1.8.5-1_source.buildinfo
Checksums-Sha256:
 f258ac717fb2213153be9040fab6dd7c9d423e0e30e98f506caa41ae3c597b55 2724 
golang-github-sigstore-fulcio_1.8.5-1.dsc
 53d3c0165629055d3f9389d43f66495044f739078e6dff4bfe9c2d5b5f664fdb 988520 
golang-github-sigstore-fulcio_1.8.5.orig.tar.xz
 4f495d095e9ec15a162a1c7b9a05cf83eb90817e090087425605a3fb0bf813b4 3080 
golang-github-sigstore-fulcio_1.8.5-1.debian.tar.xz
 b3b2bf0c86072c90e3f7a327f8e06ad7962a0591f63a9c66ca0400134f54ea92 1497128 
golang-github-sigstore-fulcio_1.8.5-1.git.tar.xz
 b4b412ed1cf491002a6f6b6f1030b115f640aa01b796a2e4286aa4726dfc8e4f 17419 
golang-github-sigstore-fulcio_1.8.5-1_source.buildinfo
Files:
 218beca7e858a0d22734680ebe8aa448 2724 golang optional 
golang-github-sigstore-fulcio_1.8.5-1.dsc
 5d757daa5d0377e72f4b8df45f0d29c0 988520 golang optional 
golang-github-sigstore-fulcio_1.8.5.orig.tar.xz
 5c28e8a2d08a04a2b810469bc9da7616 3080 golang optional 
golang-github-sigstore-fulcio_1.8.5-1.debian.tar.xz
 49169078742b3d6926f5962f151d7fe2 1497128 golang None 
golang-github-sigstore-fulcio_1.8.5-1.git.tar.xz
 dca1211cf8aaa8949aaa23388a8ffd6e 17419 golang optional 
golang-github-sigstore-fulcio_1.8.5-1_source.buildinfo
Git-Tag-Info: tag=436886287cea8d9895b01d28592a36fda8c5c034 
fp=a3cc9c870b9d310abad4cf2f51722b08fe4745a2
Git-Tag-Tagger: Simon Josefsson <si...@josefsson.org>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmm9vgIACgkQYG0ITkaD
wHm2pg/+NKUWKB6Sl9OmsaoZ2zAoMTrOtlyCoDmdI1AXpV+FiODtpd81VTesy7/X
how9RyivpBbS2Jlzkf0+geTF1sHX6hAbVxXumvYHfwajtf+5rnwkFXz/IMYp8A4b
hgU/GBBBc2HIjbcTW+JWk1z4a01ffn5Ah4i7RGOGIGv2R0Wjzxj0/yz5nS4gUney
ML+rvsm7oxgAxTaagWVdFTySrAbqbNkX8TwYAp1x5lrYOVkzeE6QAqoSDPBgVeJH
xHGLtRV6J5xraFHNqgGZ60tBfWzlzfpWZnqBm2t+ryETSgOaBCPFKViybRMxMQc7
qHy9uTxFyE4l5TfGbTt/kmNl/x9Wx+OHY8cz4eE6zeDncW53UQiGah6tHYB7LY/q
NttAv6jL8deGn3BtbGVx8fYTzrngzrJ5+zXuZf8k6JazPMiX3ZsQ02UfZeUwhf9A
6AjyUGYc62ht2b29fTS5pxnrSyA2BHvMXMPPIW6e5fZo9JUFfa2DEegErUyhSCmD
eC2j2k42uBrNgccXlynXDgwE4EanREXvKPulySA5vkLl5glrP6oo2hmQHBPYh7za
HXjsgBVO9ISZP1c6l2YpFLffeaczNOI8QUzKwLmUM10arENObcgD7aH5ov0GRF2e
7SgKAxygHZICWUNrNnYDX7ujZClbsFj0sKMaOw1W3Yw7eJb8GhA=
=nbjA
-----END PGP SIGNATURE-----

pgp29bkDEIfN1.pgp
Description: PGP signature

--- End Message ---