Overview

File _patchinfo of Package patchinfo.38332

<patchinfo incident="38332">
  <issue tracker="cve" id="2024-51744"/>
  <issue tracker="cve" id="2025-22869"/>
  <issue tracker="cve" id="2025-22870"/>
  <issue tracker="cve" id="2025-27144"/>
  <issue tracker="cve" id="2024-6104"/>
  <issue tracker="cve" id="2025-22868"/>
  <issue tracker="bnc" id="1227031">VUL-0: CVE-2024-6104: cosign: hashicorp/go-retryablehttp: url might write sensitive information to log file</issue>
  <issue tracker="bnc" id="1237682">VUL-0: CVE-2025-27144: cosign: github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3: Go JOSE's Parsing Vulnerable to Denial of Service</issue>
  <issue tracker="bnc" id="1232985">VUL-0: CVE-2024-51744: cosign: github.com/golang-jwt/jwt/v4: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt</issue>
  <issue tracker="bnc" id="1238693">VUL-0: CVE-2025-22870: cosign: golang.org/x/net/proxy: proxy bypass using IPv6 zone IDs</issue>
  <issue tracker="bnc" id="1239204">VUL-0: CVE-2025-22868: cosign: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2</issue>
  <issue tracker="bnc" id="1239337">VUL-0: CVE-2025-22869: cosign: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh</issue>
  <issue tracker="jsc" id="SLE-23476"/>
  <packager>msmeissn</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for cosign</summary>
  <description>This update for cosign fixes the following issues:

- CVE-2024-6104: cosign: hashicorp/go-retryablehttp: Fixed sensitive information disclosure to log file (bsc#1227031)
- CVE-2024-51744: cosign: github.com/golang-jwt/jwt/v4: Fixed bad documentation of error handling in ParseWithClaims leading to potentially dangerous situations (bsc#1232985)
- CVE-2025-27144: cosign: github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3: Fixed denial of service in Go JOSE's Parsing (bsc#1237682)
- CVE-2025-22870: cosign: golang.org/x/net/proxy: Fixed proxy bypass using IPv6 zone IDs (bsc#1238693)
- CVE-2025-22868: cosign: golang.org/x/oauth2/jws: Fixed unexpected memory consumption during token parsing (bsc#1239204)
- CVE-2025-22869: cosign: golang.org/x/crypto/ssh: Fixed denial of service in the Key Exchange (bsc#1239337)

Other fixes:

- Update to version 2.5.0 (jsc#SLE-23476):
  * Update sigstore-go to pick up bug fixes (#4150)
  * Update golangci-lint to v2, update golangci-lint-action (#4143)
  * Feat/non filename completions (#4115)
  * update builder to use go1.24.1 (#4116)
  * Add support for new bundle specification for attesting/verifying OCI image attestations (#3889)
  * Remove cert log line (#4113)
  * cmd/cosign/cli: fix typo in ignoreTLogMessage (#4111)
  * bump to latest scaffolding release for testing (#4099)
  * increase 2e2_test docker compose tiemout to 180s (#4091)
  * Fix replace with compliant image mediatype (#4077)
  * Add TSA certificate related flags and fields for cosign attest (#4079)

- Update to version 2.4.3 (jsc#SLE-23476):
  * Enable fetching signatures without remote get. (#4047)
  * Bump sigstore/sigstore to support KMS plugins (#4073)
  * sort properly Go imports (#4071)
  * sync comment with parameter name in function signature (#4063)
  * fix go imports order to be alphabetical (#4062)
  * fix comment typo and imports order (#4061)
  * Feat/file flag completion improvements (#4028)
  * Udpate builder to use go1.23.6 (#4052)
  * Refactor verifyNewBundle into library function (#4013)
  * fix parsing error in --only for cosign copy (#4049)
  * Fix codeowners syntax, add dep-maintainers (#4046)

- Update to version 2.4.2 (jsc#SLE-23476):
  - Updated open-policy-agent to 1.1.0 library (#4036)
     -  Note that only Rego v0 policies are supported at this time
  - Add UseSignedTimestamps to CheckOpts, refactor TSA options (#4006)
  - Add support for verifying root checksum in cosign initialize (#3953)
  - Detect if user supplied a valid protobuf bundle (#3931)
  - Add a log message if user doesn't provide --trusted-root (#3933)
  - Support mTLS towards container registry (#3922)
  - Add bundle create helper command (#3901)
  - Add trusted-root create helper command (#3876)
  Bug Fixes:
  - fix: set tls config while retaining other fields from default http transport (#4007)
  - policy fuzzer: ignore known panics (#3993)
  - Fix for multiple WithRemote options (#3982)
  - Add nightly conformance test workflow (#3979)
  - Fix copy --only for signatures + update/align docs (#3904)
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places