Skip to content
This repository was archived by the owner on Jan 7, 2026. It is now read-only.

Comments

gitsign: update advisories#27933

Merged
dnegreira merged 1 commit intowolfi-dev:mainfrom
dnegreira:gitsign-GHSA-4qg8-fj49-pxjh-GHSA-f83f-xpx7-ffpw
Dec 15, 2025
Merged

gitsign: update advisories#27933
dnegreira merged 1 commit intowolfi-dev:mainfrom
dnegreira:gitsign-GHSA-4qg8-fj49-pxjh-GHSA-f83f-xpx7-ffpw

Conversation

@dnegreira
Copy link
Member

@dnegreira dnegreira commented Dec 15, 2025

Update advisories for CVE-2025-66564 and CVE-2025-66506

github.com/sigstore/fulcio is a direct dependency of gitsign

github.com/sigstore/timestamp-authority is a transitive dependency
pulled in by github.com/sigstore/cosign.

Any attempts to bump github.com/sigstore/fulcio or
github.com/sigstore/timestamp-authority result in build failures.

gitsign currently has an open PR in order to bump fulcio to v1.8.3 [1]

The bump has already happened in the upstream sigstore v3.0.3 version. [2]

We need to wait for upstream to cut a new release with the new software
versions.

[1] sigstore/gitsign#730
[2] sigstore/cosign@5a60384

Signed-off-by: David Negreira david.negreira@chainguard.dev

@dnegreira
gitsign: update advisories
99ab17a 
Update advisories for CVE-2025-66564 and CVE-2025-66506

github.com/sigstore/fulcio is a direct dependency of gitsign

github.com/sigstore/timestamp-authority is a transitive dependency
pulled in by github.com/sigstore/cosign.

Any attempts to bump github.com/sigstore/fulcio or
github.com/sigstore/timestamp-authority result in build failures.

gitsign currently has an open PR in order to bump fulcio to v1.8.3 [1]

The bump has already happened in the upstream sigstore v3.0.3 version. [2]

We need to wait for upstream to cut a new release with the new software
versions.

[1] sigstore/gitsign#730
[2] sigstore/cosign@5a60384

Signed-off-by: David Negreira <david.negreira@chainguard.dev>
This was referenced Dec 15, 2025
Closed
Closed
@dnegreira dnegreira requested a review from a team December 15, 2025 15:35
@dnegreira dnegreira enabled auto-merge December 15, 2025 15:35
@dnegreira dnegreira added this pull request to the merge queue Dec 15, 2025
Merged via the queue into wolfi-dev:main with commit f53b60e Dec 15, 2025
4 checks passed
@dnegreira dnegreira deleted the gitsign-GHSA-4qg8-fj49-pxjh-GHSA-f83f-xpx7-ffpw branch December 15, 2025 16:04
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@bentasker bentasker bentasker approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dnegreira @bentasker