Skip to content

chore(deps): update module github.com/sigstore/timestamp-authority/v2 to v2.0.6 [security] (main)#949

Merged
phisco merged 1 commit intomainfrom
renovate/main-go-github.com-sigstore-timestamp-authority-v2-vulnerability
Apr 15, 2026
Merged

chore(deps): update module github.com/sigstore/timestamp-authority/v2 to v2.0.6 [security] (main)#949
phisco merged 1 commit intomainfrom
renovate/main-go-github.com-sigstore-timestamp-authority-v2-vulnerability

Conversation

@crossplane-renovate
Copy link
Copy Markdown
Contributor

@crossplane-renovate crossplane-renovate Bot commented Apr 15, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/sigstore/timestamp-authority/v2 v2.0.5v2.0.6 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-39984

Authorization bypass via certificate bag manipulation in sigstore/timestamp-authority verifier

An authorization bypass vulnerability exists in sigstore/timestamp-authority verifier (timestamp-authority/v2/pkg/verification): VerifyTimestampResponse function correctly verifies the certificate chain but when the TSA specific constraints are verified in VerifyLeafCert, the first non-CA certificate from the PKCS#7 certificate bag is used instead of the leaf certificate from the certificate chain. An attacker can exploit this by prepending a forged certificate to the certificate bag while the message is signed with an authorized key. The library validates the signature using the one certificate but performs authorization checks on the another, allowing an attacker to bypass some authorization controls.

This vulnerability does not apply to timestamp-authority service, only to users of timestamp-authority/v2/pkg/verification package.

This vulnerability does not apply to sigstore-go even though it is a user of timestamp-authority/v2/pkg/verification: Providing TSACertificate option to VerifyTimestampResponse fully mitigates the issue.

Patches

The issue will be fixed in timestamp-authority 2.0.6

Workarounds

Users of VerifyTimestampResponse can use the TSACertificate option to specify the exact certificate they expect to be used: this fully mitigates the issue.

References

This issue was found after reading CVE-2026-33753 / GHSA-3xxc-pwj6-jgrj (originally reported by @​Jaynornj and @​Pr00fOf3xpl0it)

Severity
  • CVSS Score: 5.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Sigstore Timestamp Authority has Improper Certificate Validation in verifier

CVE-2026-39984 / GHSA-xm5m-wgh2-rrg3

More information

Details

Authorization bypass via certificate bag manipulation in sigstore/timestamp-authority verifier

An authorization bypass vulnerability exists in sigstore/timestamp-authority verifier (timestamp-authority/v2/pkg/verification): VerifyTimestampResponse function correctly verifies the certificate chain but when the TSA specific constraints are verified in VerifyLeafCert, the first non-CA certificate from the PKCS#7 certificate bag is used instead of the leaf certificate from the certificate chain. An attacker can exploit this by prepending a forged certificate to the certificate bag while the message is signed with an authorized key. The library validates the signature using the one certificate but performs authorization checks on the another, allowing an attacker to bypass some authorization controls.

This vulnerability does not apply to timestamp-authority service, only to users of timestamp-authority/v2/pkg/verification package.

This vulnerability does not apply to sigstore-go even though it is a user of timestamp-authority/v2/pkg/verification: Providing TSACertificate option to VerifyTimestampResponse fully mitigates the issue.

Patches

The issue will be fixed in timestamp-authority 2.0.6

Workarounds

Users of VerifyTimestampResponse can use the TSACertificate option to specify the exact certificate they expect to be used: this fully mitigates the issue.

References

This issue was found after reading CVE-2026-33753 / GHSA-3xxc-pwj6-jgrj (originally reported by @​Jaynornj and @​Pr00fOf3xpl0it)

Severity

  • CVSS Score: 5.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

sigstore/timestamp-authority (github.com/sigstore/timestamp-authority/v2)

v2.0.6

Compare Source

What's Changed

Full Changelog: sigstore/timestamp-authority@v2.0.5...v2.0.6

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@crossplane-renovate crossplane-renovate Bot requested a review from a team as a code owner April 15, 2026 09:16
@crossplane-renovate crossplane-renovate Bot requested a review from adamwg April 15, 2026 09:16
@crossplane-renovate
Copy link
Copy Markdown
Contributor Author

crossplane-renovate Bot commented Apr 15, 2026
edited
Loading

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 22 additional dependencies were updated

Details:

Package Change
github.com/sigstore/sigstore v1.10.4 -> v1.10.5
golang.org/x/time v0.14.0 -> v0.15.0
github.com/aws/aws-sdk-go-v2 v1.41.2 -> v1.41.4
github.com/aws/aws-sdk-go-v2/config v1.32.10 -> v1.32.12
github.com/aws/aws-sdk-go-v2/credentials v1.19.10 -> v1.19.12
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.18 -> v1.18.20
github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.18 -> v1.4.20
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.18 -> v2.7.20
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 -> v1.8.6
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.5 -> v1.13.7
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.18 -> v1.13.20
github.com/aws/aws-sdk-go-v2/service/signin v1.0.6 -> v1.0.8
github.com/aws/aws-sdk-go-v2/service/sso v1.30.11 -> v1.30.13
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.15 -> v1.35.17
github.com/aws/aws-sdk-go-v2/service/sts v1.41.7 -> v1.41.9
github.com/aws/smithy-go v1.24.1 -> v1.24.2
github.com/go-openapi/strfmt v0.26.0 -> v0.26.1
go.opentelemetry.io/otel v1.41.0 -> v1.42.0
go.opentelemetry.io/otel/metric v1.41.0 -> v1.42.0
go.opentelemetry.io/otel/trace v1.41.0 -> v1.42.0
google.golang.org/genproto/googleapis/api v0.0.0-20260203192932-546029d2fa20 -> v0.0.0-20260316180232-0b37fe3546d5
google.golang.org/genproto/googleapis/rpc v0.0.0-20260217215200-42d3e9bedb6d -> v0.0.0-20260316180232-0b37fe3546d5

@crossplane-renovate crossplane-renovate Bot force-pushed the renovate/main-go-github.com-sigstore-timestamp-authority-v2-vulnerability branch from 401c505 to 689df72 Compare April 15, 2026 09:38
@phisco phisco merged commit a6564dd into main Apr 15, 2026
9 checks passed
@crossplane-renovate crossplane-renovate Bot deleted the renovate/main-go-github.com-sigstore-timestamp-authority-v2-vulnerability branch April 16, 2026 08:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@phisco phisco phisco approved these changes

@adamwg adamwg Awaiting requested review from adamwg adamwg is a code owner automatically assigned from crossplane/crossplane-maintainers

Assignees

No one assigned

Labels

automated

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@phisco