Bug#1122060: marked as done (golang-github-sigstore-timestamp-authority: CVE-2025-66564)

[Debian Bug Tracking System]

Your message dated Thu, 11 Dec 2025 08:49:53 +0000
with message-id <e1vtcmz-00ce8h...@fasolo.debian.org>
and subject line Bug#1122060: fixed in 
golang-github-sigstore-timestamp-authority 2.0.3-1
has caused the Debian Bug report #1122060,
regarding golang-github-sigstore-timestamp-authority: CVE-2025-66564
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1122060: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122060
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: golang-github-sigstore-timestamp-authority
Version: 1.2.9-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for 
golang-github-sigstore-timestamp-authority.

CVE-2025-66564[0]:
| Sigstore Timestamp Authority is a service for issuing RFC 3161
| timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently
| splits (via a call to strings.Split) an optionally-provided OID
| (which is untrusted data) on periods. Similarly, function
| api.getContentType splits the Content-Type header (which is also
| untrusted data) on an application string. As a result, in the face
| of a malicious request with either an excessively long OID in the
| payload containing many period characters or a malformed Content-
| Type header, a call to api.ParseJSONRequest or api.getContentType
| incurs allocations of O(n) bytes (where n stands for the length of
| the function's argument). This vulnerability is fixed in 2.0.3.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-66564
    https://www.cve.org/CVERecord?id=CVE-2025-66564
[1] 
https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-4qg8-fj49-pxjh
[2] 
https://github.com/sigstore/timestamp-authority/commit/0cae34e197d685a14904e0bad135b89d13b69421

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: golang-github-sigstore-timestamp-authority
Source-Version: 2.0.3-1
Done: Simon Josefsson <si...@josefsson.org>

We believe that the bug you reported is fixed in the latest version of
golang-github-sigstore-timestamp-authority, which is due to be installed in the 
Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1122...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon Josefsson <si...@josefsson.org> (supplier of updated 
golang-github-sigstore-timestamp-authority package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 11 Dec 2025 09:17:35 +0100
Source: golang-github-sigstore-timestamp-authority
Architecture: source
Version: 2.0.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Simon Josefsson <si...@josefsson.org>
Closes: 1122060
Changes:
 golang-github-sigstore-timestamp-authority (2.0.3-1) unstable; urgency=medium
 .
   * Drop d/.gitignore
   * New upstream version 2.0.3
     - Fix JSON OID parsing CVE-2025-66564 (Closes: #1122060)
   * Work around goodkey issue
Checksums-Sha1:
 da84aff5a8b1c602b1a2cdc1106444fdfb3b91ee 3616 
golang-github-sigstore-timestamp-authority_2.0.3-1.dsc
 cfd80c52b1eebef4c025c01803c3b2e42d028eec 108252 
golang-github-sigstore-timestamp-authority_2.0.3.orig.tar.xz
 d3c2c4613ad4bac59595210d8d341a247cc899c7 3708 
golang-github-sigstore-timestamp-authority_2.0.3-1.debian.tar.xz
 fbdf07af5c98ce80d3d3a721a6f68f5fae5f310a 360132 
golang-github-sigstore-timestamp-authority_2.0.3-1.git.tar.xz
 b319dfa9fd829734a4d039c7dbb6a0b82a7b1d1c 18366 
golang-github-sigstore-timestamp-authority_2.0.3-1_source.buildinfo
Checksums-Sha256:
 a7db247b931cb0c2ecccf4f6a78294cdf08fd5caf96066c8dda3fe43522e4f7f 3616 
golang-github-sigstore-timestamp-authority_2.0.3-1.dsc
 819b60743b076276884969b9fd2d80c6e63b537b51fa0959e384c23a986ee9f1 108252 
golang-github-sigstore-timestamp-authority_2.0.3.orig.tar.xz
 60ccaffe45384d65059c2a1f598f2eae9361e79d3dd6f7c9c57be784b365b401 3708 
golang-github-sigstore-timestamp-authority_2.0.3-1.debian.tar.xz
 2900d1e5150105df76458d67b2f2353b665dce0598dda57533ac6c558087b44b 360132 
golang-github-sigstore-timestamp-authority_2.0.3-1.git.tar.xz
 e89a73e2ee879bdcd7595b775364d5e81f9d4d0da83681fa81a27c5e5d1204be 18366 
golang-github-sigstore-timestamp-authority_2.0.3-1_source.buildinfo
Files:
 5b8590057f967b83ab655210495541ac 3616 golang optional 
golang-github-sigstore-timestamp-authority_2.0.3-1.dsc
 49604e3ee9d680fd1b15bf1987641c65 108252 golang optional 
golang-github-sigstore-timestamp-authority_2.0.3.orig.tar.xz
 41989c32b1e1d72ad365784645c1883f 3708 golang optional 
golang-github-sigstore-timestamp-authority_2.0.3-1.debian.tar.xz
 034f2e2a0930e9128bf747980a8682e9 360132 golang optional 
golang-github-sigstore-timestamp-authority_2.0.3-1.git.tar.xz
 1f1adab73fa0b227c7b32e284b7e3b8e 18366 golang optional 
golang-github-sigstore-timestamp-authority_2.0.3-1_source.buildinfo
Git-Tag-Info: tag=f4f1afd4b645387ad99fc7d2bfb547f9234ae0d1 
fp=a3cc9c870b9d310abad4cf2f51722b08fe4745a2
Git-Tag-Tagger: Simon Josefsson <si...@josefsson.org>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmk6g0oACgkQYG0ITkaD
wHk8AQ/+Ipa3uB3Ra1nJ2QO7jerWAdxfB3ZzZ09tFfiEgRPTl4vVwGrbqszFQKCz
w5MN3FNbTSe5zl9+Mkeoq2kZIbkcugiJTK7pRn7wtLbfZFugNCW+tuAk9JdH1QqL
xbU4srgRzCD8y4SA551I5Q/bS0EkFSZzq59/9m4RnE+mc6KYylYGCztMghkcidbn
BytN4gD3nUlOWyBWg6Ryf9UZBpldGrxDIn4pA6UaZIcLoqsnHkod0j8uGA7cm7v3
oYqjJphU0MAjKC4609fIpFBmoIr8DVYJP4LFRI7aPt+kdFZRXTm8OF8Huawa+IyT
wNMwDyu3fcE+vCNTLlbBInQDxQvbD0kfoSqACYc8UyY7LmGy/rEVGeqAadSoSL0d
Zy6B3J+SnH8f2u+qjAvTpL2wDPPKxcQmLsjtTLL3EC+7eqgfrQJQ1+s/uIP4JVfW
wYYBDgwGWMK+Hibq4tG5UiD/DZmNny3QHgsXsiFxf+jEb9c0oEIvW4I75Y4Nh7kK
Xb1knt2gSBZGZvmKTef4xND+UqjUmCyaUrptUeG1pcYjJh3pn21y6IguCmKhNtzK
eSj09qQDG448keukxoMOtIaQJgkVxFyZiPu3ZWV97t5Lkfcn1mxQrV+avfGNCzSv
5TCC2WY2ikCXreHZ30a/KWWiqLSiN5DnX77kAFomQ6jLEelacLg=
=XWXm
-----END PGP SIGNATURE-----

pgpntSMVwhGqU.pgp
Description: PGP signature

--- End Message ---