You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
notation-go is a collection of libraries for supporting Notation sign, verify, push, pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures and the application will be finally killed, and thus availability is impacted. The problem has been patched in the release v1.0.0-rc.3. Some workarounds are available. Users can review their own trust policy file and check if the identity string contains =#. Meanwhile, users should only put trusted certificates in their trust stores referenced by their own trust policy files, and make sure the authenticity validation is set to enforce.
Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.
modules:
- module: github.com/notaryproject/notation-go
packages:
- package: notation-go
description: |
notation-go is a collection of libraries for supporting Notation sign, verify, push, pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures and the application will be finally killed, and thus availability is impacted. The problem has been patched in the release v1.0.0-rc.3. Some workarounds are available. Users can review their own trust policy file and check if the identity string contains `=#`. Meanwhile, users should only put trusted certificates in their trust stores referenced by their own trust policy files, and make sure the `authenticity` validation is set to `enforce`.
cves:
- CVE-2023-25656
references:
- advisory: https://github.com/notaryproject/notation-go/security/advisories/GHSA-87x9-7grx-m28v
- web: https://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.3
The text was updated successfully, but these errors were encountered:
CVE-2023-25656 references github.com/notaryproject/notation-go, which may be a Go module.
Description:
notation-go is a collection of libraries for supporting Notation sign, verify, push, pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures and the application will be finally killed, and thus availability is impacted. The problem has been patched in the release v1.0.0-rc.3. Some workarounds are available. Users can review their own trust policy file and check if the identity string contains
=#
. Meanwhile, users should only put trusted certificates in their trust stores referenced by their own trust policy files, and make sure theauthenticity
validation is set toenforce
.References:
Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: