Skip to content

update(deps): update module github.com/sigstore/rekor to v1.5.0 [security] #161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
CodesphereBot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

update(deps): update module github.com/sigstore/rekor to v1.5.0 [security] #161

CodesphereBot wants to merge 1 commit into from

Conversation

@CodesphereBot
Copy link
Collaborator

@CodesphereBot CodesphereBot commented Jan 22, 2026

This PR contains the following updates:

Package Change Age Confidence
github.com/sigstore/rekor v1.4.3 -> v1.5.0 age confidence

GitHub Vulnerability Alerts

CVE-2026-23831

Summary

Rekor’s cose v0.0.1 entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message. validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload.

Impact

A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal.

Patches

Upgrade to v1.5.0

Workarounds

None

CVE-2026-24117

Summary

/api/v1/index/retrieve supports retrieving a public key via a user-provided URL, allowing attackers to trigger SSRF to arbitrary internal services.

Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF.

Impact

  • SSRF to cloud metadata (169.254.169.254)
  • SSRF to internal Kubernetes APIs
  • SSRF to any service accessible from Fulcio's network

Patches

Upgrade to v1.5.0. Note that this is a breaking change to the search API and fully disables lookups by URL. If you require this feature, please reach out and we can discuss alternatives.

Workarounds

Disable the search endpoint with --enable_retrieve_api=false.

Release Notes

sigstore/rekor (github.com/sigstore/rekor)

v1.5.0

Compare Source

This release fixes GHSA-273p-m2cw-6833 and GHSA-4c4x-jm2x-pf9j. Note that this
drops support for fetching public keys via URL when querying the search API.

Vulnerability Fixes

  • Handle malformed COSE and DSSE entries (#​2729)
  • Drop support for fetching public keys by URL in the search index (#​2731)

Features

  • Add support for a custom TLS config for clients (#​2709)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@CodesphereBot