Overview

File _patchinfo of Package patchinfo.33590

<patchinfo incident="33590">
  <issue tracker="jsc" id="SLE-23879"/>
  <issue tracker="cve" id="2024-29903"/>
  <issue tracker="cve" id="2024-29902"/>
  <issue tracker="bnc" id="1222835">VUL-0: CVE-2024-29902: cosign: Malicious attachments can cause system-wide denial of service</issue>
  <issue tracker="bnc" id="1222837">VUL-0: CVE-2024-29903: cosign: Malicious artifects can cause machine-wide denial of service</issue>
  <packager>msmeissn</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for cosign</summary>
  <description>This update for cosign fixes the following issues:

- CVE-2024-29902: Fixed denial of service on host machine via remote image with a malicious attachments (bsc#1222835)
- CVE-2024-29903: Fixed denial of service on host machine via malicious software artifacts (bsc#1222837)

Other fixes:
- Updated to 2.2.4 (jsc#SLE-23879)
    * Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661)
    * ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526)
    * fix semgrep issues for dgryski.semgrep-go ruleset (#3541)
    * Honor creation timestamp for signatures again (#3549)
  * Features
    * Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578)
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places