File _patchinfo of Package patchinfo.39820

<patchinfo incident="39820">
  <issue tracker="jsc" id="SLE-23879"/>
  <issue tracker="cve" id="2025-46569"/>
  <issue tracker="bnc" id="1246725">VUL-0: CVE-2025-46569: cosign: github.com/open-policy-agent/opa: HTTP request path can be crafted to inject Rego code into a constructed query when a virtual document is requested through the Data API</issue>
  <packager>msmeissn</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for cosign</summary>
  <description>This update for cosign fixes the following issues:

Update to version 2.5.3 (jsc#SLE-23879):

- CVE-2025-46569: Fixed OPA server Data API HTTP path injection of Rego (bsc#1246725)

Changelog:

Update to 2.5.3:

- Add signing-config create command (#4280)
- Allow multiple services to be specified for trusted-root create (#4285)
- force when copying the latest image to overwrite (#4298)
- Fix cert verification logic for trusted-root/SCTs (#4294)
- Fix lint error for types package (#4295)
- feat: Add OCI 1.1+ experimental support to tree (#4205)
- Add validity period end for trusted-root create (#4271)
- avoid double-loading trustedroot from file (#4264)

Update to 2.5.2:

- Do not load trusted root when CT env key is set
- docs: improve doc for --no-upload option (#4206)

Update to 2.5.1:

- Add Rekor v2 support for trusted-root create (#4242)
- Add baseUrl and Uri to trusted-root create command
- Upgrade to TUF v2 client with trusted root
- Don't verify SCT for a private PKI cert (#4225)
- Bump TSA library to relax EKU chain validation rules (#4219)
- Bump sigstore-go to pick up log index=0 fix (#4162)
- remove unused recursive flag on attest command (#4187)
</description>
</patchinfo>