<div class="container">
<h1>Security update for cosign</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2026:0777-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-03-03T13:22:36Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1250620">bsc#1250620</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1253913">bsc#1253913</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1256496">bsc#1256496</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1256562">bsc#1256562</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1257080">bsc#1257080</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1257085">bsc#1257085</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1257139">bsc#1257139</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1258542">bsc#1258542</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1258612">bsc#1258612</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/SLE-23879">jsc#SLE-23879</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-11065.html">CVE-2025-11065</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-58181.html">CVE-2025-58181</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-22703.html">CVE-2026-22703</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-22772.html">CVE-2026-22772</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-23991.html">CVE-2026-23991</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-23992.html">CVE-2026-23992</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-24122.html">CVE-2026-24122</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-24137.html">CVE-2026-24137</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-26958.html">CVE-2026-26958</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-11065</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.7</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-11065</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">4.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-11065</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-58181</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.9</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-58181</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-58181</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-22703</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.5</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-22703</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.5</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-22703</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.5</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-22772</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.9</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-22772</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-22772</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-23991</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.0</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-23991</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-23991</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.9</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-23991</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-23992</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.0</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-23992</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-23992</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.9</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-23992</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-24122</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.3</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-24122</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">3.7</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-24122</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">3.7</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-24137</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.0</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-24137</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-24137</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-26958</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.3</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-26958</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-26958</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">1.7</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">Basesystem Module 15-SP7</li>
<li class="list-group-item">openSUSE Leap 15.4</li>
<li class="list-group-item">openSUSE Leap 15.6</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP7</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves nine vulnerabilities and contains one feature can now be installed.</p>
<h2>Description:</h2>
<p>This update for cosign fixes the following issues:</p>
<p>Update to version 3.0.5 (jsc#SLE-23879).</p>
<p>Security issues fixed: </p>
<ul>
<li>CVE-2025-11065: github.com/go-viper/mapstructure/v2: sensitive Information leak in logs (bsc#1250620).</li>
<li>CVE-2025-58181: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption
(bsc#1253913).</li>
<li>CVE-2026-22703: Verification accepts any valid Rekor entry under certain conditions (bsc#1256496).</li>
<li>CVE-2026-22772: github.com/sigstore/fulcio: bypass MetaIssuer URL validation bypass can trigger SSRF to arbitrary
internal services (bsc#1256562).</li>
<li>CVE-2026-23991: github.com/theupdateframework/go-tuf/v2: denial of service due to invalid TUF metadata JSON returned
by TUF repository (bsc#1257080).</li>
<li>CVE-2026-23992: github.com/theupdateframework/go-tuf/v2: unauthorized modification to TUF metadata files due to a
compromised or misconfigured TUF repository (bsc#1257085).</li>
<li>CVE-2026-24122: improper validation of certificates that outlive expired CA certificates (bsc#1258542).</li>
<li>CVE-2026-24137: github.com/sigstore/sigstore/pkg/tuf: legacy TUF client allows for arbitrary file writes with target
cache path traversal (bsc#1257139).</li>
<li>CVE-2026-26958: filippo.io/edwards25519: failure to initialize receiver in MultiScalarMult can produce invalid results
and lead to undefined behavior (bsc#1258612).</li>
</ul>
<p>Other updates and bugfixes:</p>
<ul>
<li>chore(deps): bump google.golang.org/api from 0.260.0 to 0.264.0 (#4679)</li>
<li>chore(deps): bump github.com/sigstore/rekor-tiles/v2 from 2.0.1 to 2.1.0 (#4670)</li>
<li>chore(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 (#4712)</li>
<li>chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4680)</li>
<li>chore(deps): bump the gomod group across 1 directory with 4 updates (#4702)</li>
<li>chore(deps): bump the actions group with 3 updates (#4703)</li>
<li>update golang builder to use go1.25.7 (#4687)</li>
<li>update golangci-lint to v2.8.x (#4688)</li>
<li>Support DSSE signing conformance test (#4685)</li>
<li>chore(deps): bump the actions group across 1 directory with 8 updates (#4689)</li>
<li>Deprecate rekor-entry-type flag (#4691)</li>
<li>Deprecate cosign triangulate (#4676)</li>
<li>Deprecate cosign copy (#4681)</li>
<li>Enforce TSA requirement for Rekor v2, Fuclio signing (#4683)</li>
<li>chore(deps): bump github.com/theupdateframework/go-tuf/v2 (#4668)</li>
<li>chore(deps): bump golang from 1.25.5 to 1.25.6 in the all group (#4673)</li>
<li>Automatically require signed timestamp with Rekor v2 entries (#4666)</li>
<li>Fix syntax issue in conformance test, update nightly (#4664)</li>
<li>Add mTLS support for TSA client connections when signing with a signing config (#4620)</li>
<li>fix: avoid panic on malformed tlog entry body (#4652)</li>
<li>Verify validity of chain rather than just certificate (#4663)</li>
<li>Allow --local-image with --new-bundle-format for v2 and v3 signatures (#4626)</li>
<li>chore(deps): bump the gomod group across 1 directory with 3 updates (#4662)</li>
<li>Bump sigstore/sigstore to resolve GHSA (#4660)</li>
<li>Gracefully fail if bundle payload body is not a string (#4648)</li>
<li>fix: avoid panic on malformed replace payload (#4653)</li>
<li>chore(deps): bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 (#4659)</li>
<li>fix: avoid panic on malformed attestation payload (#4651)</li>
<li>fix: avoid panic on malformed tlog entries (#4649)</li>
<li>Update conformance to latest</li>
<li>docs(cosign): clarify RFC3161 revocation semantics (#4642)</li>
<li>Add empty predicate to cosign sign when payload type is application/vnd.in-toto+json (#4635)</li>
<li>chore(deps): bump github.com/sigstore/fulcio from 1.8.4 to 1.8.5 (#4637)</li>
<li>Add origin key for ctfe trusted root</li>
<li>
<p>Add changelog updates for v3.0.4 and v2.6.2 (#4625)</p>
</li>
<li>
<p>Update to version 3.0.4:</p>
</li>
<li>
<p>Fix bundle verify path for old bundle/trusted root (#4623)</p>
</li>
<li>chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4616)</li>
<li>chore(deps): bump cuelang.org/go in the gomod group (#4615)</li>
<li>Optimize cosign tree performance by caching digest resolution (#4612)</li>
<li>Don't require a trusted root to verify offline with a key (#4613)</li>
<li>Support default services for trusted-root and signing-config creation (#4592)</li>
<li>chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4602)</li>
<li>chore(deps): bump github.com/sigstore/sigstore-go (#4578)</li>
<li>chore(deps): bump github.com/buildkite/agent/v3 from 3.114.1 to 3.115.2 (#4601)</li>
<li>chore(deps): bump google.golang.org/api from 0.257.0 to 0.258.0 (#4611)</li>
<li>chore(deps): bump k8s.io/client-go from 0.34.3 to 0.35.0 (#4604)</li>
<li>chore(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 (#4588)</li>
<li>chore(deps): bump golang.org/x/oauth2 from 0.33.0 to 0.34.0 (#4586)</li>
<li>chore(deps): bump the gomod group with 5 updates (#4599)</li>
<li>chore(deps): bump github.com/open-policy-agent/opa from 1.10.1 to 1.12.1 (#4600)</li>
<li>chore(deps): bump golang.org/x/term from 0.37.0 to 0.38.0 (#4584)</li>
<li>chore(deps): bump the actions group with 3 updates (#4587)</li>
<li>chore(deps): bump actions/cache from 4.3.0 to 5.0.1 (#4589)</li>
<li>
<p>chore(deps): bump the gomod group with 9 updates (#4577)</p>
</li>
<li>
<p>Update to version 3.0.3:</p>
</li>
<li>
<p>4554: Closes 4554 - Add warning when --output* is used (#4556)</p>
</li>
<li>chore(deps): bump golangci/golangci-lint-action from 8.0.0 to 9.1.0 (#4545)</li>
<li>chore(deps): bump github.com/buildkite/agent/v3 from 3.111.0 to 3.113.0 (#4542)</li>
<li>chore(deps): bump github.com/awslabs/amazon-ecr-credential-helper/ecr-login (#4543)</li>
<li>chore(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#4546)</li>
<li>chore(deps): bump the actions group with 4 updates (#4544)</li>
<li>chore(deps): bump the gomod group across 1 directory with 5 updates (#4567)</li>
<li>chore(deps): bump golang from 1.25.4 to 1.25.5 in the all group (#4568)</li>
<li>update builder to use go1.25.5 (#4566)</li>
<li>Protobuf bundle support for subcommand <code>clean</code> (#4539)</li>
<li>Add staging flag to initialize with staging TUF metadata</li>
<li>update slack invite link (#4560)</li>
<li>Updating sign-blob to also support signing with a certificate (#4547)</li>
<li>Bump sigstore library dependencies (#4532)</li>
<li>Protobuf bundle support for subcommands <code>save</code> and <code>load</code> (#4538)</li>
<li>Fix cert attachment for new bundle with signing config</li>
<li>Fix OCI verification with local cert - old bundle</li>
<li>chore(deps): bump github.com/sigstore/fulcio from 1.7.1 to 1.8.1 (#4519)</li>
<li>chore(deps): bump golang.org/x/crypto in /test/fakeoidc (#4535)</li>
<li>chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#4536)</li>
<li>update go builder and cosign (#4529)</li>
<li>chore(deps): bump the gomod group across 1 directory with 7 updates (#4528)</li>
<li>chore(deps): bump sigstore/cosign-installer from 3.10.0 to 4.0.0 (#4478)</li>
<li>chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4520)</li>
<li>chore(deps): bump golang from 1.25.3 to 1.25.4 in the all group (#4515)</li>
<li>chore(deps): bump golang.org/x/oauth2 from 0.32.0 to 0.33.0 (#4518)</li>
<li>chore(deps): bump cuelang.org/go from 0.14.2 to 0.15.0 (#4524)</li>
<li>chore(deps): bump github.com/open-policy-agent/opa from 1.9.0 to 1.10.1 (#4521)</li>
<li>chore(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#4502)</li>
<li>chore(deps): bump the actions group across 1 directory with 2 updates (#4516)</li>
<li>chore(deps): bump github.com/buildkite/agent/v3 from 3.110.0 to 3.111.0 (#4523)</li>
<li>chore(deps): bump github.com/theupdateframework/go-tuf/v2 (#4522)</li>
<li>Deprecate tlog-upload flag (#4458)</li>
<li>fix: Use signal context for <code>sign</code> cli package.</li>
<li>update offline verification directions (#4526)</li>
<li>Fix signing/verifying annotations for new bundle</li>
<li>Add support to download and attach for protobuf bundles (#4477)</li>
<li>Add --signing-algorithm flag (#3497)</li>
<li>Refactor signcommon bundle helpers</li>
<li>Add --bundle and fix --upload for new bundle</li>
<li>Pass insecure registry flags through to referrers</li>
<li>chore(deps): bump github.com/buildkite/agent/v3 from 3.108.0 to 3.109.1 (#4483)</li>
<li>Add protobuf bundle support for tree subcommand (#4491)</li>
<li>Remove stale embed import (#4492)</li>
<li>Support multiple container identities</li>
<li>chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4484)</li>
<li>chore(deps): bump chainguard-dev/actions in the actions group (#4480)</li>
<li>chore(deps): bump github.com/sigstore/rekor-tiles/v2 (#4485)</li>
<li>chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0 (#4486)</li>
<li>chore(deps): bump cuelang.org/go in the gomod group (#4479)</li>
<li>upgrade OSS-Fuzz build tooling (#4487)</li>
<li>Fix segfault when no attestations are found (#4472)</li>
<li>Use overridden repository for new bundle format (#4473)</li>
<li>update go to 1.25.3 (#4471)</li>
<li>Remove --out flag from <code>cosign initialize</code> (#4462)</li>
<li>chore(deps): bump the actions group with 2 updates (#4460)</li>
<li>Deprecate offline flag (#4457)</li>
<li>Deduplicate code in sign/attest<em> and verify</em> commands (#4449)</li>
<li>Cache signing config when calling initialize (#4456)</li>
<li>Update changelog for v3.0.2 (#4455)</li>
<li>chore(deps): bump google.golang.org/api from 0.250.0 to 0.251.0</li>
<li>chore(deps): bump gitlab.com/gitlab-org/api/client-go</li>
<li>chore(deps): bump the actions group with 3 updates</li>
<li>chore(deps): bump github.com/buildkite/agent/v3 from 3.107.2 to 3.108.0</li>
<li>choose different signature filename for KMS-signed release signatures (#4448)</li>
<li>chore(deps): bump github.com/go-jose/go-jose/v4 (#4451)</li>
<li>Update rekor-tiles version path</li>
<li>update CL for v3.0.1 release (#4447)</li>
<li>update goreleaser config for v3.0.0 release (#4446)</li>
<li>Create changelog for v3.0.0 (#4440)</li>
<li>Fetch service URLs from the TUF PGI signing config by default (#4428)</li>
<li>Create changelog for v2.6.1 (#4439)</li>
<li>chore(deps): bump google.golang.org/api from 0.249.0 to 0.250.0 (#4432)</li>
<li>chore(deps): bump the gomod group with 2 updates (#4429)</li>
<li>chore(deps): bump github.com/open-policy-agent/opa from 1.8.0 to 1.9.0 (#4433)</li>
<li>chore(deps): bump the actions group with 3 updates (#4434)</li>
<li>chore(deps): bump github.com/go-openapi/swag from 0.24.1 to 0.25.1 (#4435)</li>
<li>chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4436)</li>
<li>chore(deps): bump github.com/go-openapi/runtime from 0.28.0 to 0.29.0 (#4437)</li>
<li>Bump module version to v3 for Cosign v3.0 (#4427)</li>
<li>Move sigstore-conformance back to tagged release (#4425)</li>
<li>Bump sigstore-go to v1.1.3 (#4423)</li>
<li>Partially populate the output of cosign verify when working with new bundles (#4416)</li>
<li>chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4419)</li>
<li>chore(deps): bump github.com/theupdateframework/go-tuf/v2 (#4418)</li>
<li>chore(deps): bump github.com/buildkite/agent/v3 from 3.105.0 to 3.107.0 (#4420)</li>
<li>chore(deps): bump chainguard-dev/actions in the actions group (#4421)</li>
<li>bump go builder to use 1.25.1 and cosign (#4417)</li>
<li>Bump sigstore-go for more precise user agents (#4413)</li>
<li>chore(deps): bump github.com/spf13/viper from 1.20.1 to 1.21.0 (#4408)</li>
<li>chore(deps): bump the actions group with 2 updates (#4407)</li>
<li>chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4410)</li>
<li>chore(deps): bump github.com/buildkite/agent/v3 from 3.104.0 to 3.105.0 (#4411)</li>
<li>
<p>Default to using the new protobuf format (#4318)</p>
</li>
<li>
<p>Update to version 2.6.0:</p>
</li>
<li>
<p>Require exclusively a SigningConfig or service URLs when signing (#4403)</p>
</li>
<li>Add a terminal spinner while signing with sigstore-go (#4402)</li>
<li>Bump sigstore-go, support alternative hash algorithms with keys (#4386)</li>
<li>Add support for SigningConfig in sign/attest (#4371)</li>
<li>Support self-managed keys when signing with sigstore-go (#4368)</li>
<li>Remove SHA256 assumption in sign-blob/verify-blob (#4050)</li>
<li>introduce dockerfile to pin the go version to decouple go version from go.mod (#4369)</li>
<li>refactor: extract function to write referrer attestations (#4357)</li>
<li>Break import cycle with e2e build tag (#4370)</li>
<li>Update conformance test binary for signing config (#4367)</li>
<li>update builder image to use go1.25 (#4366)</li>
<li>Don't load content from TUF if trusted root path is specified (#4347)</li>
<li>Don't require timestamps when verifying with a key (#4337)</li>
<li>Fixes to cosign sign / verify for the new bundle format (#4346)</li>
<li>update builder to use go1.24.6 (#4334)</li>
<li>bump golangci-lint to v2.3.x (#4333)</li>
<li>Have cosign sign support bundle format (#4316)</li>
<li>Add support for SigningConfig for sign-blob/attest-blob, support Rekor v2 (#4319)</li>
<li>Verify subject with bundle only when checking claims (#4320)</li>
<li>Add to <code>attest-blob</code> the ability to supply a complete in-toto statement, and add to <code>verify-blob-attestation</code> the
ability to verify with just a digest (#4306)</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
Basesystem Module 15-SP7
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-777=1</code>
</li>
<li class="list-group-item">
openSUSE Leap 15.4
<br/>
<code>zypper in -t patch SUSE-2026-777=1</code>
</li>
<li class="list-group-item">
openSUSE Leap 15.6
<br/>
<code>zypper in -t patch openSUSE-SLE-15.6-2026-777=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
<ul>
<li>cosign-3.0.5-150400.3.35.1</li>
<li>cosign-debuginfo-3.0.5-150400.3.35.1</li>
</ul>
</li>
<li>
Basesystem Module 15-SP7 (noarch)
<ul>
<li>cosign-zsh-completion-3.0.5-150400.3.35.1</li>
<li>cosign-bash-completion-3.0.5-150400.3.35.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
<ul>
<li>cosign-3.0.5-150400.3.35.1</li>
<li>cosign-debuginfo-3.0.5-150400.3.35.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.4 (noarch)
<ul>
<li>cosign-zsh-completion-3.0.5-150400.3.35.1</li>
<li>cosign-bash-completion-3.0.5-150400.3.35.1</li>
<li>cosign-fish-completion-3.0.5-150400.3.35.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
<ul>
<li>cosign-3.0.5-150400.3.35.1</li>
<li>cosign-debuginfo-3.0.5-150400.3.35.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-11065.html">https://www.suse.com/security/cve/CVE-2025-11065.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-58181.html">https://www.suse.com/security/cve/CVE-2025-58181.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-22703.html">https://www.suse.com/security/cve/CVE-2026-22703.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-22772.html">https://www.suse.com/security/cve/CVE-2026-22772.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-23991.html">https://www.suse.com/security/cve/CVE-2026-23991.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-23992.html">https://www.suse.com/security/cve/CVE-2026-23992.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-24122.html">https://www.suse.com/security/cve/CVE-2026-24122.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-24137.html">https://www.suse.com/security/cve/CVE-2026-24137.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-26958.html">https://www.suse.com/security/cve/CVE-2026-26958.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1250620">https://bugzilla.suse.com/show_bug.cgi?id=1250620</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1253913">https://bugzilla.suse.com/show_bug.cgi?id=1253913</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1256496">https://bugzilla.suse.com/show_bug.cgi?id=1256496</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1256562">https://bugzilla.suse.com/show_bug.cgi?id=1256562</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1257080">https://bugzilla.suse.com/show_bug.cgi?id=1257080</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1257085">https://bugzilla.suse.com/show_bug.cgi?id=1257085</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1257139">https://bugzilla.suse.com/show_bug.cgi?id=1257139</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1258542">https://bugzilla.suse.com/show_bug.cgi?id=1258542</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1258612">https://bugzilla.suse.com/show_bug.cgi?id=1258612</a>
</li>
<li>
<a href="https://jira.suse.com/browse/SLE-23879">https://jira.suse.com/browse/SLE-23879</a>
</li>
</ul>
</div>