SUSE-SU-2024:0430-1: moderate: Security update for cosign
SLE-UPDATES
null at suse.de
Thu Feb 8 16:30:22 UTC 2024
# Security update for cosign
Announcement ID: SUSE-SU-2024:0430-1
Rating: moderate
References:
* bsc#1218207
* jsc#SLE-23879
Cross-References:
* CVE-2023-48795
CVSS scores:
* CVE-2023-48795 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2023-48795 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products:
* Basesystem Module 15-SP5
* openSUSE Leap 15.4
* openSUSE Leap 15.5
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
An update that solves one vulnerability and contains one feature can now be
installed.
## Description:
This update for cosign fixes the following issues:
Updated to 2.2.3 (jsc#SLE-23879):
Bug Fixes:
* Fix race condition on verification with multiple signatures attached to
image (#3486)
* fix(clean): Fix clean cmd for private registries (#3446)
* Fixed BYO PKI verification (#3427)
Features:
* Allow for option in cosign attest and attest-blob to upload attestation as
supported in Rekor (#3466)
* Add support for OpenVEX predicate type (#3405)
Documentation:
* Resolves #3088: `version` sub-command expected behaviour documentation and
testing (#3447)
* add examples for cosign attach signature cmd (#3468)
Misc:
* Remove CertSubject function (#3467)
* Use local rekor and fulcio instances in e2e tests (#3478)
* bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack
CVE-2023-48795 (bsc#1218207)
Updated to 2.2.2 (jsc#SLE-23879):
v2.2.2 adds a new container with a shell,
gcr.io/projectsigstore/cosign:vx.y.z-dev, in addition to the existing container
gcr.io/projectsigstore/cosign:vx.y.z without a shell.
For private deployments, we have also added an alias for \--insecure-skip-log,
--private-infrastructure.
Bug Fixes:
* chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#3411)
which fixes a bug with using Azure KMS
* Don't require CT log keys if using a key/sk (#3415)
* Fix copy without any flag set (#3409)
* Update cosign generate cmd to not include newline (#3393)
* Fix idempotency error with signing (#3371)
Features:
* Add --yes flag cosign import-key-pair to skip the overwrite confirmation.
(#3383)
* Use the timeout flag value in verify* commands. (#3391)
* add --private-infrastructure flag (#3369)
Container Updates:
* Bump builder image to use go1.21.4 and add new cosign image tags with shell
(#3373)
Documentation:
* Update SBOM_SPEC.md (#3358)
* CVE-2023-48795: Fixed the Terrapin attack in embedded
golang.org/x/crypto/ssh (bsc#1218207).
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* Basesystem Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2024-430=1
* openSUSE Leap 15.4
zypper in -t patch SUSE-2024-430=1
* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-430=1
## Package List:
* Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64)
* cosign-2.2.3-150400.3.17.1
* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
* cosign-debuginfo-2.2.3-150400.3.17.1
* cosign-2.2.3-150400.3.17.1
* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
* cosign-2.2.3-150400.3.17.1
## References:
* https://www.suse.com/security/cve/CVE-2023-48795.html
* https://bugzilla.suse.com/show_bug.cgi?id=1218207
* https://jira.suse.com/browse/SLE-23879
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20240208/5199aa4c/attachment.htm>
More information about the sle-updates
mailing list