SUSE-CU-2025:2929-1: Security update of suse/cosign

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Tue Apr 29 07:09:56 UTC 2025 

SUSE Container Update Advisory: suse/cosign
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:2929-1
Container Tags        : suse/cosign:2 , suse/cosign:2.5 , suse/cosign:2.5.0 , suse/cosign:2.5.0-2.2 , suse/cosign:latest
Container Release     : 2.2
Severity              : important
Type                  : security
References            : 1227031 1232985 1237682 1238693 1239204 1239337 CVE-2024-51744
                        CVE-2024-6104 CVE-2025-22868 CVE-2025-22869 CVE-2025-22870 CVE-2025-27144
-----------------------------------------------------------------

The container suse/cosign was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1333-1
Released:    Thu Apr 17 03:38:16 2025
Summary:     Security update for cosign
Type:        security
Severity:    important
References:  1227031,1232985,1237682,1238693,1239204,1239337,CVE-2024-51744,CVE-2024-6104,CVE-2025-22868,CVE-2025-22869,CVE-2025-22870,CVE-2025-27144
This update for cosign fixes the following issues:

- CVE-2024-6104: cosign: hashicorp/go-retryablehttp: Fixed sensitive information disclosure to log file (bsc#1227031)
- CVE-2024-51744: cosign: github.com/golang-jwt/jwt/v4: Fixed bad documentation of error handling in ParseWithClaims leading to potentially dangerous situations (bsc#1232985)
- CVE-2025-27144: cosign: github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3: Fixed denial of service in Go JOSE's Parsing (bsc#1237682)
- CVE-2025-22870: cosign: golang.org/x/net/proxy: Fixed proxy bypass using IPv6 zone IDs (bsc#1238693)
- CVE-2025-22868: cosign: golang.org/x/oauth2/jws: Fixed unexpected memory consumption during token parsing (bsc#1239204)
- CVE-2025-22869: cosign: golang.org/x/crypto/ssh: Fixed denial of service in the Key Exchange (bsc#1239337)

Other fixes:

- Update to version 2.5.0 (jsc#SLE-23476):
  * Update sigstore-go to pick up bug fixes (#4150)
  * Update golangci-lint to v2, update golangci-lint-action (#4143)
  * Feat/non filename completions (#4115)
  * update builder to use go1.24.1 (#4116)
  * Add support for new bundle specification for attesting/verifying OCI image attestations (#3889)
  * Remove cert log line (#4113)
  * cmd/cosign/cli: fix typo in ignoreTLogMessage (#4111)
  * bump to latest scaffolding release for testing (#4099)
  * increase 2e2_test docker compose tiemout to 180s (#4091)
  * Fix replace with compliant image mediatype (#4077)
  * Add TSA certificate related flags and fields for cosign attest (#4079)

- Update to version 2.4.3 (jsc#SLE-23476):
  * Enable fetching signatures without remote get. (#4047)
  * Bump sigstore/sigstore to support KMS plugins (#4073)
  * sort properly Go imports (#4071)
  * sync comment with parameter name in function signature (#4063)
  * fix go imports order to be alphabetical (#4062)
  * fix comment typo and imports order (#4061)
  * Feat/file flag completion improvements (#4028)
  * Udpate builder to use go1.23.6 (#4052)
  * Refactor verifyNewBundle into library function (#4013)
  * fix parsing error in --only for cosign copy (#4049)
  * Fix codeowners syntax, add dep-maintainers (#4046)

- Update to version 2.4.2 (jsc#SLE-23476):
  - Updated open-policy-agent to 1.1.0 library (#4036)
     -  Note that only Rego v0 policies are supported at this time
  - Add UseSignedTimestamps to CheckOpts, refactor TSA options (#4006)
  - Add support for verifying root checksum in cosign initialize (#3953)
  - Detect if user supplied a valid protobuf bundle (#3931)
  - Add a log message if user doesn't provide --trusted-root (#3933)
  - Support mTLS towards container registry (#3922)
  - Add bundle create helper command (#3901)
  - Add trusted-root create helper command (#3876)
  Bug Fixes:
  - fix: set tls config while retaining other fields from default http transport (#4007)
  - policy fuzzer: ignore known panics (#3993)
  - Fix for multiple WithRemote options (#3982)
  - Add nightly conformance test workflow (#3979)
  - Fix copy --only for signatures + update/align docs (#3904)


The following package changes have been done:

- cosign-2.5.0-150400.3.27.1 updated
- libgcrypt20-1.10.3-150600.3.6.1 updated

More information about the sle-container-updates mailing list