Source: golang-github-sigstore-fulcio Version: 1.7.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for golang-github-sigstore-fulcio. CVE-2025-66506[0]: | Fulcio is a free-to-use certificate authority for issuing code | signing certificates for an OpenID Connect (OIDC) identity. Prior to | 1.8.3, function identity.extractIssuerURL splits (via a call to | strings.Split) its argument (which is untrusted data) on periods. As | a result, in the face of a malicious request with an (invalid) OIDC | identity token in the payload containing many period characters, a | call to extractIssuerURL incurs allocations to the tune of O(n) | bytes (where n stands for the length of the function's argument), | with a constant factor of about 16. This vulnerability is fixed in | 1.8.3. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-66506 https://www.cve.org/CVERecord?id=CVE-2025-66506 [1] https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw [2] https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a Please adjust the affected versions in the BTS as needed. Regards, Salvatore
