x/vulndb: potential Go vuln in github.com/sigstore/rekor: GHSA-frqx-jfcm-6jjr

[GoVulnBot]

In GitHub Security Advisory GHSA-frqx-jfcm-6jjr, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/sigstore/rekor	1.2.0	< 1.2.0

Cross references:

• Module github.com/sigstore/rekor appears in issue x/vulndb: potential Go vuln in github.com/sigstore/rekor: GHSA-2h5h-59f5-c5x9 #1754 NOT_IMPORTABLE

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/sigstore/rekor
    versions:
      - fixed: 1.2.0
    packages:
      - package: github.com/sigstore/rekor
summary: malformed proposed intoto entries can cause a panic
description: |-
    ### Impact
    A malformed proposed entry of the `intoto/v0.0.2` type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal.

    ### Patches
    This is fixed in v1.2.0 of Rekor.

    ### Workarounds
    No

    ### References
    Discovered by OSS-Fuzz
cves:
  - CVE-2023-33199
ghsas:
  - GHSA-frqx-jfcm-6jjr
references:
  - advisory: https://github.com/sigstore/rekor/security/advisories/GHSA-frqx-jfcm-6jjr
  - fix: https://github.com/sigstore/rekor/commit/140c5add105179e5ffd9e3e114fd1b6b93aebbd4
  - advisory: https://github.com/advisories/GHSA-frqx-jfcm-6jjr

[RafalKorepta]

I think it should be closed as per #1762 (comment)

[gopherbot]

Change https://go.dev/cl/503837 mentions this issue: data/excluded: batch add 21 excluded reports

[gopherbot]

Change https://go.dev/cl/592761 mentions this issue: data/reports: unexclude 75 reports

[gopherbot]

Change https://go.dev/cl/606786 mentions this issue: data/reports: unexclude 20 reports (6)