SUSE-SU-2024:0430-1

Source
https://www.suse.com/support/update/announcement/2024/suse-su-20240430-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2024:0430-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2024:0430-1
Related
Published
2024-02-08T14:03:31Z
Modified
2024-02-08T14:03:31Z
Summary
Security update for cosign
Details

This update for cosign fixes the following issues:

Updated to 2.2.3 (jsc#SLE-23879):

Bug Fixes:

  • Fix race condition on verification with multiple signatures attached to image (#3486)
  • fix(clean): Fix clean cmd for private registries (#3446)
  • Fixed BYO PKI verification (#3427)

Features:

  • Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466)
  • Add support for OpenVEX predicate type (#3405)

Documentation:

  • Resolves #3088: version sub-command expected behaviour documentation and testing (#3447)
  • add examples for cosign attach signature cmd (#3468)

Misc:

  • Remove CertSubject function (#3467)
  • Use local rekor and fulcio instances in e2e tests (#3478)

  • bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207)

Updated to 2.2.2 (jsc#SLE-23879):

v2.2.2 adds a new container with a shell, gcr.io/projectsigstore/cosign:vx.y.z-dev, in addition to the existing container gcr.io/projectsigstore/cosign:vx.y.z without a shell.

For private deployments, we have also added an alias for --insecure-skip-log, --private-infrastructure.

Bug Fixes:

  • chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#3411) which fixes a bug with using Azure KMS
  • Don't require CT log keys if using a key/sk (#3415)
  • Fix copy without any flag set (#3409)
  • Update cosign generate cmd to not include newline (#3393)
  • Fix idempotency error with signing (#3371)

Features:

  • Add --yes flag cosign import-key-pair to skip the overwrite confirmation. (#3383)
  • Use the timeout flag value in verify* commands. (#3391)
  • add --private-infrastructure flag (#3369)

Container Updates:

  • Bump builder image to use go1.21.4 and add new cosign image tags with shell (#3373)

Documentation:

  • Update SBOM_SPEC.md (#3358)

  • CVE-2023-48795: Fixed the Terrapin attack in embedded golang.org/x/crypto/ssh (bsc#1218207).

References

Affected packages

SUSE:Linux Enterprise Module for Basesystem 15 SP5 / cosign

Package

Name
cosign
Purl
purl:rpm/suse/cosign&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.3-150400.3.17.1

Ecosystem specific

{
    "binaries": [
        {
            "cosign": "2.2.3-150400.3.17.1"
        }
    ]
}

openSUSE:Leap 15.5 / cosign

Package

Name
cosign
Purl
purl:rpm/suse/cosign&distro=openSUSE%20Leap%2015.5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.3-150400.3.17.1

Ecosystem specific

{
    "binaries": [
        {
            "cosign": "2.2.3-150400.3.17.1"
        }
    ]
}