SUSE-CU-2024:5870-1: Security update of suse/cosign
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Thu Nov 28 08:14:46 UTC 2024
SUSE Container Update Advisory: suse/cosign
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:5870-1
Container Tags : suse/cosign:2 , suse/cosign:2.4 , suse/cosign:2.4.0 , suse/cosign:2.4.0-6.1 , suse/cosign:latest
Container Release : 6.1
Severity : important
Type : security
References : 1202157 1203430 1206346 1216933 1218207 1222835 1222837 CVE-2022-35929
CVE-2022-36056 CVE-2023-46737 CVE-2023-48795 CVE-2024-29902 CVE-2024-29903
-----------------------------------------------------------------
The container suse/cosign was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2877-1
Released: Tue Aug 23 13:31:23 2022
Summary: Security update for cosign
Type: security
Severity: important
References: 1202157,CVE-2022-35929
This update for cosign fixes the following issues:
- Updated to 1.10.1 (jsc#SLE-23879):
- CVE-2022-35929: Fixed an issue where cosign verify-attestation --type
could report false positives when there was at least one attestation
with a valid signature and there were no attestations of the type
being verified (bsc#1202157).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3486-1
Released: Sat Oct 1 13:33:54 2022
Summary: Security update for cosign
Type: security
Severity: important
References: 1203430,CVE-2022-36056
This update for cosign fixes the following issues:
Updated to version 1.12.0 (jsc#SLE-23879):
- CVE-2022-36056: Fixed verify-blob could successfully verify an artifact when verification should have failed (bsc#1203430).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2301-1
Released: Thu May 25 13:34:56 2023
Summary: Recommended update for cosign
Type: recommended
Severity: moderate
References:
This update for cosign fixes the following issues:
cosign was updated to 2.0.1 (jsc#SLE-23879)
- Enhancements
- Add environment variable token provider (#2864)
- Remove cosign policy command (#2846)
- Allow customising 'go' executable with GOEXE var (#2841)
- Consistent tlog warnings during verification (#2840)
- Add riscv64 arch (#2821)
- Default generated PEM labels to SIGSTORE (#2735)
- Update privacy statement and confirmation (#2797)
- Add exit codes for verify errors (#2766)
- Add Buildkite provider (#2779)
- verify-blob-attestation: Loosen arg requirements if --check-claims=false (#2746)
- Bug Fixes
- PKCS11 sessions are now opened read only (#2853)
- Makefile: date format of log should not show signatures (#2835)
- Add missing flags to cosign verify dockerfile/manifest (#2830)
- Add a warning to remember how to configure a custom Gitlab host (#2816)
- Remove tag warning message from save/copy commands (#2799)
- Mark keyless pem files with b64 (#2671)
- build against a maintained golang version (upstream uses go1.20)
cosign was updated to 2.0.0 (jsc#SLE-23879)
- Breaking Changes:
- insecure-skip-tlog-verify: rename and adapt the cert expiration check (#2620)
- Deprecate --certificate-email flag. Make --certificate-identity and -… (#2411)
- Enhancements:
- Change go module name to github.com/sigstore/cosign/v2 for Cosign 2.0 (#2544)
- Allow users to pass in a path for the --identity-token flag (#2538)
- Breaking change: Respect tlog-upload=false, default to true (#2505)
- Support outputing a certificate without uploading to the tlog (#2506)
- Attestation/Blob signing and verification using a RFC3161 time-stamping server (#2464)
- respect tlog-upload flag with TSA (#2474)
- Better feedback if specifying incompatible argument on cosign sign --attachment (#2449)
- Support TSA and Rekor verifications (#2463)
- add support for tsa signing and verification of images (#2460)
- cosign policy sign: remove experimental flag and make keyless signing default (#2459)
- Remove experimental mode from cosign attest and verify-attestation (#2458)
- Remove experimental mode from sign-blob and verify-blob (#2457)
- Add --offline flag to force offline verification (#2427)
- Air gap support (#2299)
- Breaking change: Change SCT verification behavior to default to enforcement (#2400)
- Breaking change: remove --force flag from sign and attest and rely on --yes flag to skip confirmation (#2399)
- Breaking change: replace --no-tlog-upload flag with --tlog-upload flag (#2397)
- Remove experimental flag from cosign sign and cosign verify (#2387)
- verify: remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY test env var for using a key from rekor's API (#2362)
- Add warning to use digest instead of tags to other cosign commands (#2650)
- Fix up UI messages (#2629)
- Remove hardcoded Fulcio from output (#2621)
- Fix missing privacy statement, print in multiple locations (#2622)
- feat: allows custom key names for import-key-pair (#2587)
- feat: support keyless verification for verify-blob-attestation (#2525)
- attest-blob: add functionality for keyless signing (#2515)
- Rego: add support for custom error/warning messages when evaluating rego rules (#2577)
- feat: add debug information to cert validation error (#2579)
- Support non-Sigstore TSA requests (#2708)
- Add COSIGN_OCI_EXPERIMENTAL, push .sig/.sbom using OCI 1.1+ digest tag (#2684)
- Output certificate in bundle when entry is not uploaded to Rekor (#2715)
- attach signature and attach sbom must use STDIN to upload raw string (#2637)
- add generate-key-pair GitHub Enterprise server support (#2676)
- add in format string for warning (#2699)
- Support for fetching Fulcio certs with self-managed key (#2532)
- 2476 predicate type download (#2484)
- Bug Fixes:
- Fix the file existence check. (#2552)
- Fix timestamp verification, add verify-blob tests (#2527)
- Fix(verify): Consolidate certificate expiry logic (#2504)
- Updates to Timestamp signing and verification (#2499)
- Fix: removes attestation payload from attest-blob's output & no base64 encoding (#2498)
- Fix path for e2e-tests badge (#2490)
- Fix spdx json media type (#2479)
- Fix sct verificaction (#2426)
- Fix: panic with unsigned local image (#2656)
- Make sure a cert passed in via --cert matches the bundle cert (#2652)
- Fix: fix github oidc post submit test (#2594)
- Fix: add enhanced error messages for failing verification with TUF targets (#2589)
- Fix: Add missing schemes to cosign predicate types. (#2717)
- Fix: Drop the CosignPredicate wrapper around SBOM attestations. (#2718)
- Fix prompts with Windows line endings (#2674)
cosing was update to 1.13.1:
- verify-blob-attestation: allow multiple subjects in in_toto attestation (#2341)
- Nits for #2337 (#2342)
- Add verify-blob-attestation command and tests (#2337)
- Update warning when users sign images by tag. (#2313)
- Remove experimental flags from attest-blob and refactor (#2338)
- Add --output-attestation flag to attest-blob and remove experimental signing (#2332)
- Add attest-blob command (#2286)
- Add '--cert-identity' flag to support subject alternate names for ver… (#2278)
- Update Dockerfile section of README (#2323)
- Fix option description: 'sign' --> 'verify' (#2306)
cosign was updated to 1.13.0:
- feat: use stdin as an input for predicate by @developer-guy in https://github.com/sigstore/cosign/pull/2269
- feat: improve the verification message by @developer-guy in https://github.com/sigstore/cosign/pull/2268
- use scaffolding 0.4.8 for tests. by @vaikas in https://github.com/sigstore/cosign/pull/2280
- fix pivtool generate key touch policy by @cpanato in https://github.com/sigstore/cosign/pull/2282
- Check error on chain verification failure by @haydentherapper in https://github.com/sigstore/cosign/pull/2284
- Fix: Remove an extra registry request from verification path. by @mattmoor in https://github.com/sigstore/cosign/pull/2285
- Fix: Create a static copy of signatures as part of verification. by @mattmoor in https://github.com/sigstore/cosign/pull/2287
- Data race in FetchSignaturesForReference by @RTann in https://github.com/sigstore/cosign/pull/2283
- Add support for Fulcio username identity in SAN by @haydentherapper in https://github.com/sigstore/cosign/pull/2291
- fix: make tlog entry lookups for online verification shard-aware by @asraa in https://github.com/sigstore/cosign/pull/2297
- Better help text to sign and verify SBOM by @ChristianCiach in https://github.com/sigstore/cosign/pull/2308
- Adding warning to pin to digest by @ChaosInTheCRD in https://github.com/sigstore/cosign/pull/2311
- Add annotations for upload blob. by @cldmnky in https://github.com/sigstore/cosign/pull/2188
- replace deprecate package by @cpanato in https://github.com/sigstore/cosign/pull/2314
- update release images to use go1.19.2 and cosign v1.12.1 by @cpanato in https://github.com/sigstore/cosign/pull/2315
cosign was updated to 1.12.1:
- fix: Pulls Fulcio root and intermediate when --certificate-chain is not
passed into verify-blob command. The v1.12.0 release introduced a
regression: when COSIGN_EXPERIMENTAL was not set, cosign verify-blob would
check a --certificate (without a --certificate-chain provided) against the
operating system root CA bundle. In this release, Cosign checks the
certificate against Fulcio's CA root instead (restoring the earlier
behavior).
- fix: fix cert chain validation for verify-blob in non-experimental mode
- fix: add COSIGN_EXPERIMENTAL=1 for verify-bloba
- Fix BYO-root with intermediate to fetch intermediates from annotation
- fix: fixing breaking changes in rekor v1.12.0 upgrade
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2665-1
Released: Tue Jun 27 21:26:14 2023
Summary: Security update for cosign
Type: security
Severity: important
References: 1206346
This update of cosign fixes the following issues:
- rebuild the package with the go 1.20 security release (bsc#1206346).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4870-1
Released: Thu Dec 14 16:28:28 2023
Summary: Security update for cosign
Type: security
Severity: moderate
References: 1216933,CVE-2023-46737
This update for cosign fixes the following issues:
Updated to 2.2.1 (jsc#SLE-23879)
- Enhancements:
* CVE-2023-46737: Possible endless data attack from attacker-controlled registry (bsc#1216933)
* feat: Support basic auth and bearer auth login to registry (#3310)
* add support for ignoring certificates with pkcs11 (#3334)
* Support ReplaceOp in Signatures (#3315)
* feat: added ability to get image digest back via triangulate (#3255)
* feat: add `--only` flag in `cosign copy` to copy sign, att & sbom (#3247)
* feat: add support attaching a Rekor bundle to a container (#3246)
* feat: add support outputting rekor response on signing (#3248)
* feat: improve dockerfile verify subcommand (#3264)
* Add guard flag for experimental OCI 1.1 verify. (#3272)
* Deprecate SBOM attachments (#3256)
* feat: dedent line in cosign copy doc (#3244)
* feat: add platform flag to cosign copy command (#3234)
* Add SLSA 1.0 attestation support to cosign. Closes #2860 (#3219)
* attest: pass OCI remote opts to att resolver. (#3225)
- Bug Fixes:
* Merge pull request from GHSA-vfp6-jrw2-99g9
* fix: allow cosign download sbom when image is absent (#3245)
* ci: add a OCI registry test for referrers support (#3253)
* Fix ReplaceSignatures (#3292)
* Stop using deprecated in_toto.ProvenanceStatement (#3243)
* Fixes #3236, disable SCT checking for a cosign verification when using .. (#3237)
* fix: update error in `SignedEntity` to be more descriptive (#3233)
* Fail timestamp verification if no root is provided (#3224)
- Documentation:
* Add some docs about verifying in an air-gapped environment (#3321)
* Update CONTRIBUTING.md (#3268)
* docs: improves the Contribution guidelines (#3257)
* Remove security policy (#3230)
- Others:
* Set go to min 1.21 and update dependencies (#3327)
* Update contact for code of conduct (#3266)
* Update .ko.yaml (#3240)
Updated to 2.2.0 (jsc#SLE-23879)
- Enhancements
* switch to uploading DSSE types to rekor instead of intoto (#3113)
* add 'cosign sign' command-line parameters for mTLS (#3052)
* improve error messages around bundle != payload hash (#3146)
* make VerifyImageAttestation function public (#3156)
* Switch to cryptoutils function for SANS (#3185)
* Handle HTTP_1_1_REQUIRED errors in github provider (#3172)
- Bug Fixes
* Fix nondeterminsitic timestamps (#3121)
- Documentation
* doc: Add example of sign-blob with key in env var (#3152)
* add deprecation notice for cosign-releases GCS bucket (#3148)
* update doc links (#3186)
Updated to 2.1.1 (jsc#SLE-23879)
- Bug Fixes
* wait for the workers become available again to continue the execution (#3084)
* fix help text when in a container (#3082)
Updated to 2.1.0 (jsc#SLE-23879)
- Breaking Change: The predicate is now a required flag in the attest commands, set via the --type flag.
- Enhancements
* Verify sigs and attestations in parallel (#3066)
* Deep inspect attestations when filtering download (#3031)
* refactor bundle validation code, add support for DSSE rekor type (#3016)
* Allow overriding remote options (#3049)
* feat: adds no cert found on sig exit code (#3038)
* Make predicate a required flag in attest commands (#3033)
* Added support for attaching Time stamp authority Response in attach command (#3001)
* Add sign --sign-container-identity CLI (#2984)
* Feature: Allow cosign to sign digests before they are uploaded. (#2959)
* accepts attachment-tag-prefix for cosign copy (#3014)
* Feature: adds '--allow-insecure-registry' for cosign load (#3000)
* download attestation: support --platform flag (#2980)
* Cleanup: Add Digest to the SignedEntity interface. (#2960)
* verify command: support keyless verification using only a provided certificate chain with non-fulcio roots (#2845)
* verify: use workers to limit the paralellism when verifying images with --max-workers flag (#3069)
- Bug Fixes
* Fix pkg/cosign/errors (#3050)
* Fix: update doc to refer to github-actions oidc provider (#3040)
* Fix: prefer GitHub OIDC provider if enabled (#3044)
* Fix --sig-only in cosign copy (#3074)
- Documentation
* Fix links to sigstore/docs in markdown files (#3064)
Update to 2.0.2 (jsc#SLE-23879)
- Enhancements
* Update sigstore/sigstore to v1.6.2 to pick up TUF CDN change (#2891)
* feat: Make cosign copy faster (#2901)
* remove sget (#2885)
* Require a payload to be provided with a signature (#2785)
- Bug Fixes
* cmd: Change error message from KeyParseError to PubKeyParseError for verify-blob. (#2876)
* Use SOURCE_DATE_EPOCH for OCI CreatedAt times (#2878)
- Documentation
* Remove experimental warning from Fulcio flags (#2923)
* add missing oidc provider (#2922)
* Add zot as a supported registry (#2920)
* deprecates kms_support docs (#2900)
* chore(docs) deprecate note for usage docs (#2906)
* adds note of deprecation for examples.md docs (#2899)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:430-1
Released: Thu Feb 8 15:03:27 2024
Summary: Security update for cosign
Type: security
Severity: moderate
References: 1218207,CVE-2023-48795
This update for cosign fixes the following issues:
Updated to 2.2.3 (jsc#SLE-23879):
Bug Fixes:
* Fix race condition on verification with multiple signatures attached to image (#3486)
* fix(clean): Fix clean cmd for private registries (#3446)
* Fixed BYO PKI verification (#3427)
Features:
* Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466)
* Add support for OpenVEX predicate type (#3405)
Documentation:
* Resolves #3088: `version` sub-command expected behaviour documentation and testing (#3447)
* add examples for cosign attach signature cmd (#3468)
Misc:
* Remove CertSubject function (#3467)
* Use local rekor and fulcio instances in e2e tests (#3478)
- bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207)
Updated to 2.2.2 (jsc#SLE-23879):
v2.2.2 adds a new container with a shell,
gcr.io/projectsigstore/cosign:vx.y.z-dev, in addition to the existing
container gcr.io/projectsigstore/cosign:vx.y.z without a shell.
For private deployments, we have also added an alias for
--insecure-skip-log, --private-infrastructure.
Bug Fixes:
* chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#3411) which fixes a bug with using Azure KMS
* Don't require CT log keys if using a key/sk (#3415)
* Fix copy without any flag set (#3409)
* Update cosign generate cmd to not include newline (#3393)
* Fix idempotency error with signing (#3371)
Features:
* Add --yes flag cosign import-key-pair to skip the overwrite confirmation. (#3383)
* Use the timeout flag value in verify* commands. (#3391)
* add --private-infrastructure flag (#3369)
Container Updates:
* Bump builder image to use go1.21.4 and add new cosign image tags with shell (#3373)
Documentation:
* Update SBOM_SPEC.md (#3358)
- CVE-2023-48795: Fixed the Terrapin attack in embedded golang.org/x/crypto/ssh (bsc#1218207).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:1486-1
Released: Thu May 2 07:33:10 2024
Summary: Security update for cosign
Type: security
Severity: moderate
References: 1222835,1222837,CVE-2024-29902,CVE-2024-29903
This update for cosign fixes the following issues:
- CVE-2024-29902: Fixed denial of service on host machine via remote image with a malicious attachments (bsc#1222835)
- CVE-2024-29903: Fixed denial of service on host machine via malicious software artifacts (bsc#1222837)
Other fixes:
- Updated to 2.2.4 (jsc#SLE-23879)
* Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661)
* ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526)
* fix semgrep issues for dgryski.semgrep-go ruleset (#3541)
* Honor creation timestamp for signatures again (#3549)
* Features
* Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3974-1
Released: Mon Nov 11 16:26:23 2024
Summary: Recommended update for cosign
Type: recommended
Severity: moderate
References:
This update for cosign fixes the following issues:
cosign was updated to 2.4.0 (jsc#SLE-23879)
- Add new bundle support to verify-blob and verify-blob-attestation (#3796)
- Adding protobuf bundle support to sign-blob and attest-blob (#3752)
- Bump sigstore/sigstore to support email_verified as string or boolean (#3819)
- Conformance testing for cosign (#3806)
- move incremental builds per commit to GHCR instead of GCR (#3808)
- Add support for recording creation timestamp for cosign attest (#3797)
- Include SCT verification failure details in error message (#3799)
- Set CGO_ENABLED=1 for fixing s390x failed build
Update to 2.3.0 (jsc#SLE-23879):
* Features
- Add PayloadProvider interface to decouple AttestationToPayloadJSON from oci.Signature interface (#3693)
- add registry options to cosign save (#3645)
- Add debug providers command. (#3728)
- Make config layers in ociremote mountable (#3741)
- adds tsa cert chain check for env var or tuf targets. (#3600)
- add --ca-roots and --ca-intermediates flags to 'cosign verify' (#3464)
- add handling of keyless verification for all verify commands (#3761)
* Bug Fixes
- fix: close attestationFile (#3679)
- Set bundleVerified to true after Rekor verification (Resolves #3740) (#3745)
* Documentation
- Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign (#3776)
- add completion subpackages (bash, fish, zsh)
The following package changes have been done:
- cosign-2.4.0-150400.3.23.1 added
- patterns-base-fips-20200124-150600.30.1 removed
More information about the sle-container-updates
mailing list