SUSE-SU-2024:0430-1: moderate: Security update for cosign

SLE-UPDATES null at suse.de
Thu Feb 8 16:30:22 UTC 2024



# Security update for cosign

Announcement ID: SUSE-SU-2024:0430-1  
Rating: moderate  
References:

  * bsc#1218207
  * jsc#SLE-23879

  
Cross-References:

  * CVE-2023-48795

  
CVSS scores:

  * CVE-2023-48795 ( SUSE ):  5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
  * CVE-2023-48795 ( NVD ):  5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

  
Affected Products:

  * Basesystem Module 15-SP5
  * openSUSE Leap 15.4
  * openSUSE Leap 15.5
  * SUSE Linux Enterprise Desktop 15 SP5
  * SUSE Linux Enterprise High Performance Computing 15 SP5
  * SUSE Linux Enterprise Real Time 15 SP5
  * SUSE Linux Enterprise Server 15 SP5
  * SUSE Linux Enterprise Server for SAP Applications 15 SP5

  
  
An update that solves one vulnerability and contains one feature can now be
installed.

## Description:

This update for cosign fixes the following issues:

Updated to 2.2.3 (jsc#SLE-23879):

Bug Fixes:

  * Fix race condition on verification with multiple signatures attached to
    image (#3486)
  * fix(clean): Fix clean cmd for private registries (#3446)
  * Fixed BYO PKI verification (#3427)

Features:

  * Allow for option in cosign attest and attest-blob to upload attestation as
    supported in Rekor (#3466)
  * Add support for OpenVEX predicate type (#3405)

Documentation:

  * Resolves #3088: `version` sub-command expected behaviour documentation and
    testing (#3447)
  * add examples for cosign attach signature cmd (#3468)

Misc:

  * Remove CertSubject function (#3467)
  * Use local rekor and fulcio instances in e2e tests (#3478)

  * bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack
    CVE-2023-48795 (bsc#1218207)

Updated to 2.2.2 (jsc#SLE-23879):

v2.2.2 adds a new container with a shell,
gcr.io/projectsigstore/cosign:vx.y.z-dev, in addition to the existing container
gcr.io/projectsigstore/cosign:vx.y.z without a shell.

For private deployments, we have also added an alias for \--insecure-skip-log,
--private-infrastructure.

Bug Fixes:

  * chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#3411)
    which fixes a bug with using Azure KMS
  * Don't require CT log keys if using a key/sk (#3415)
  * Fix copy without any flag set (#3409)
  * Update cosign generate cmd to not include newline (#3393)
  * Fix idempotency error with signing (#3371)

Features:

  * Add --yes flag cosign import-key-pair to skip the overwrite confirmation.
    (#3383)
  * Use the timeout flag value in verify* commands. (#3391)
  * add --private-infrastructure flag (#3369)

Container Updates:

  * Bump builder image to use go1.21.4 and add new cosign image tags with shell
    (#3373)

Documentation:

  * Update SBOM_SPEC.md (#3358)

  * CVE-2023-48795: Fixed the Terrapin attack in embedded
    golang.org/x/crypto/ssh (bsc#1218207).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * Basesystem Module 15-SP5  
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2024-430=1

  * openSUSE Leap 15.4  
    zypper in -t patch SUSE-2024-430=1

  * openSUSE Leap 15.5  
    zypper in -t patch openSUSE-SLE-15.5-2024-430=1

## Package List:

  * Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64)
    * cosign-2.2.3-150400.3.17.1
  * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
    * cosign-debuginfo-2.2.3-150400.3.17.1
    * cosign-2.2.3-150400.3.17.1
  * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
    * cosign-2.2.3-150400.3.17.1

## References:

  * https://www.suse.com/security/cve/CVE-2023-48795.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1218207
  * https://jira.suse.com/browse/SLE-23879

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20240208/5199aa4c/attachment.htm>


More information about the sle-updates mailing list