Overview

File _patchinfo of Package patchinfo.32493

<patchinfo incident="32493">
  <issue tracker="jsc" id="SLE-23879"/>
  <issue tracker="cve" id="2023-48795"/>
  <issue tracker="bnc" id="1218207">VUL-0: CVE-2023-48795: cosign: golang.org/x/crypto/ssh: prefix truncation breaking ssh channel integrity</issue>
  <packager>msmeissn</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for cosign</summary>
  <description>This update for cosign fixes the following issues:

Updated to 2.2.3 (jsc#SLE-23879):

Bug Fixes:

* Fix race condition on verification with multiple signatures attached to image (#3486)
* fix(clean): Fix clean cmd for private registries (#3446)
* Fixed BYO PKI verification (#3427)

Features:

* Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466)
* Add support for OpenVEX predicate type (#3405)

Documentation:

* Resolves #3088: `version` sub-command expected behaviour documentation and testing (#3447)
* add examples for cosign attach signature cmd (#3468)

Misc:

* Remove CertSubject function (#3467)
* Use local rekor and fulcio instances in e2e tests (#3478)

- bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207)

Updated to 2.2.2 (jsc#SLE-23879):

v2.2.2 adds a new container with a shell,
gcr.io/projectsigstore/cosign:vx.y.z-dev, in addition to the existing
container gcr.io/projectsigstore/cosign:vx.y.z without a shell.

For private deployments, we have also added an alias for
--insecure-skip-log, --private-infrastructure.

Bug Fixes:

* chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#3411) which fixes a bug with using Azure KMS
* Don't require CT log keys if using a key/sk (#3415)
* Fix copy without any flag set (#3409)
* Update cosign generate cmd to not include newline (#3393)
* Fix idempotency error with signing (#3371)

Features:

* Add --yes flag cosign import-key-pair to skip the overwrite confirmation. (#3383)
* Use the timeout flag value in verify* commands. (#3391)
* add --private-infrastructure flag (#3369)

Container Updates:

* Bump builder image to use go1.21.4 and add new cosign image tags with shell (#3373)

Documentation:

* Update SBOM_SPEC.md (#3358)

- CVE-2023-48795: Fixed the Terrapin attack in embedded golang.org/x/crypto/ssh (bsc#1218207).
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places