SUSE-CU-2026:399-1: Security update of suse/cosign

[sle-container-updates at lists.suse.com]

SUSE Container Update Advisory: suse/cosign
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:399-1
Container Tags        : suse/cosign:2 , suse/cosign:2.5 , suse/cosign:2.5.3 , suse/cosign:2.5.3-19.6 , suse/cosign:latest
Container Release     : 19.6
Severity              : important
Type                  : security
References            : 1255715 1256243 1256244 1256246 1256390 CVE-2025-68973 
-----------------------------------------------------------------

The container suse/cosign was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:215-1
Released:    Thu Jan 22 13:10:16 2026
Summary:     Security update for gpg2
Type:        security
Severity:    important
References:  1255715,1256243,1256244,1256246,1256390,CVE-2025-68973
This update for gpg2 fixes the following issues:

- CVE-2025-68973: Fix possible memory corruption in the armor parser (gpg.fail/memcpy)(bsc#1255715).
- Avoid potential downgrade to SHA1 in 3rd party key signatures (gpg.fail/sha1) (bsc#1256246).
- Error out on unverified output for non-detached signatures (gpg.fail/detached) (bsc#1256244).
- Fix a memory leak in gpg2 agent (bsc#1256243).
- Fix Cleartext Signature Forgery in the NotDashEscaped header implementation in GnuPG (gpg.fail/notdash) (bsc#1256390).


The following package changes have been done:

- patterns-base-fips-20200124-150700.36.1 added
- gpg2-2.4.4-150600.3.12.1 updated
- container:suse-sle15-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated
- container:registry.suse.com-bci-bci-micro-15.7-55883c76f750bdb0fa8cf3fe2e43f19f9babc501efce9801e94a9c0c8d115a20-0 updated