File _patchinfo of Package patchinfo.33590
<patchinfo incident="33590">
<issue tracker="jsc" id="SLE-23879"/>
<issue tracker="cve" id="2024-29903"/>
<issue tracker="cve" id="2024-29902"/>
<issue tracker="bnc" id="1222835">VUL-0: CVE-2024-29902: cosign: Malicious attachments can cause system-wide denial of service</issue>
<issue tracker="bnc" id="1222837">VUL-0: CVE-2024-29903: cosign: Malicious artifects can cause machine-wide denial of service</issue>
<packager>msmeissn</packager>
<rating>moderate</rating>
<category>security</category>
<summary>Security update for cosign</summary>
<description>This update for cosign fixes the following issues:
- CVE-2024-29902: Fixed denial of service on host machine via remote image with a malicious attachments (bsc#1222835)
- CVE-2024-29903: Fixed denial of service on host machine via malicious software artifacts (bsc#1222837)
Other fixes:
- Updated to 2.2.4 (jsc#SLE-23879)
* Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661)
* ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526)
* fix semgrep issues for dgryski.semgrep-go ruleset (#3541)
* Honor creation timestamp for signatures again (#3549)
* Features
* Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578)
</description>
</patchinfo>