<div class="container">
<h1>Security update for cosign</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2023:4870-1</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1216933">bsc#1216933</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/SLE-23879">jsc#SLE-23879</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-46737.html">CVE-2023-46737</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-46737</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">3.1</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-46737</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">Basesystem Module 15-SP4</li>
<li class="list-group-item">Basesystem Module 15-SP5</li>
<li class="list-group-item">openSUSE Leap 15.4</li>
<li class="list-group-item">openSUSE Leap 15.5</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP5</li>
<li class="list-group-item">SUSE Manager Proxy 4.3</li>
<li class="list-group-item">SUSE Manager Retail Branch Server 4.3</li>
<li class="list-group-item">SUSE Manager Server 4.3</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves one vulnerability and contains one feature can now be installed.</p>
<h2>Description:</h2>
<p>This update for cosign fixes the following issues:</p>
<p>Updated to 2.2.1 (jsc#SLE-23879)</p>
<ul>
<li>Enhancements:</li>
<li>CVE-2023-46737: Possible endless data attack from attacker-controlled registry (bsc#1216933)</li>
<li>feat: Support basic auth and bearer auth login to registry (#3310)</li>
<li>add support for ignoring certificates with pkcs11 (#3334)</li>
<li>Support ReplaceOp in Signatures (#3315)</li>
<li>feat: added ability to get image digest back via triangulate (#3255)</li>
<li>feat: add <code>--only</code> flag in <code>cosign copy</code> to copy sign, att & sbom (#3247)</li>
<li>feat: add support attaching a Rekor bundle to a container (#3246)</li>
<li>feat: add support outputting rekor response on signing (#3248)</li>
<li>feat: improve dockerfile verify subcommand (#3264)</li>
<li>Add guard flag for experimental OCI 1.1 verify. (#3272)</li>
<li>Deprecate SBOM attachments (#3256)</li>
<li>feat: dedent line in cosign copy doc (#3244)</li>
<li>feat: add platform flag to cosign copy command (#3234)</li>
<li>Add SLSA 1.0 attestation support to cosign. Closes #2860 (#3219)</li>
<li>attest: pass OCI remote opts to att resolver. (#3225)</li>
<li>Bug Fixes:</li>
<li>Merge pull request from GHSA-vfp6-jrw2-99g9</li>
<li>fix: allow cosign download sbom when image is absent (#3245)</li>
<li>ci: add a OCI registry test for referrers support (#3253)</li>
<li>Fix ReplaceSignatures (#3292)</li>
<li>Stop using deprecated in_toto.ProvenanceStatement (#3243)</li>
<li>Fixes #3236, disable SCT checking for a cosign verification when using .. (#3237)</li>
<li>fix: update error in <code>SignedEntity</code> to be more descriptive (#3233)</li>
<li>Fail timestamp verification if no root is provided (#3224)</li>
<li>Documentation:</li>
<li>Add some docs about verifying in an air-gapped environment (#3321)</li>
<li>Update CONTRIBUTING.md (#3268)</li>
<li>docs: improves the Contribution guidelines (#3257)</li>
<li>Remove security policy (#3230)</li>
<li>Others:</li>
<li>Set go to min 1.21 and update dependencies (#3327)</li>
<li>Update contact for code of conduct (#3266)</li>
<li>Update .ko.yaml (#3240)</li>
</ul>
<p>Updated to 2.2.0 (jsc#SLE-23879)</p>
<ul>
<li>Enhancements</li>
<li>switch to uploading DSSE types to rekor instead of intoto (#3113)</li>
<li>add 'cosign sign' command-line parameters for mTLS (#3052)</li>
<li>improve error messages around bundle != payload hash (#3146)</li>
<li>make VerifyImageAttestation function public (#3156)</li>
<li>Switch to cryptoutils function for SANS (#3185)</li>
<li>Handle HTTP_1_1_REQUIRED errors in github provider (#3172)</li>
<li>Bug Fixes</li>
<li>Fix nondeterminsitic timestamps (#3121)</li>
<li>Documentation</li>
<li>doc: Add example of sign-blob with key in env var (#3152)</li>
<li>add deprecation notice for cosign-releases GCS bucket (#3148)</li>
<li>update doc links (#3186)</li>
</ul>
<p>Updated to 2.1.1 (jsc#SLE-23879)</p>
<ul>
<li>Bug Fixes</li>
<li>wait for the workers become available again to continue the execution (#3084)</li>
<li>fix help text when in a container (#3082)</li>
</ul>
<p>Updated to 2.1.0 (jsc#SLE-23879)</p>
<ul>
<li>Breaking Change: The predicate is now a required flag in the attest commands, set via the --type flag.</li>
<li>Enhancements</li>
<li>Verify sigs and attestations in parallel (#3066)</li>
<li>Deep inspect attestations when filtering download (#3031)</li>
<li>refactor bundle validation code, add support for DSSE rekor type (#3016)</li>
<li>Allow overriding remote options (#3049)</li>
<li>feat: adds no cert found on sig exit code (#3038)</li>
<li>Make predicate a required flag in attest commands (#3033)</li>
<li>Added support for attaching Time stamp authority Response in attach command (#3001)</li>
<li>Add sign --sign-container-identity CLI (#2984)</li>
<li>Feature: Allow cosign to sign digests before they are uploaded. (#2959)</li>
<li>accepts attachment-tag-prefix for cosign copy (#3014)</li>
<li>Feature: adds '--allow-insecure-registry' for cosign load (#3000)</li>
<li>download attestation: support --platform flag (#2980)</li>
<li>Cleanup: Add Digest to the SignedEntity interface. (#2960)</li>
<li>verify command: support keyless verification using only a provided certificate chain with non-fulcio roots (#2845)</li>
<li>verify: use workers to limit the paralellism when verifying images with --max-workers flag (#3069)</li>
<li>Bug Fixes</li>
<li>Fix pkg/cosign/errors (#3050)</li>
<li>Fix: update doc to refer to github-actions oidc provider (#3040)</li>
<li>Fix: prefer GitHub OIDC provider if enabled (#3044)</li>
<li>Fix --sig-only in cosign copy (#3074)</li>
<li>Documentation</li>
<li>Fix links to sigstore/docs in markdown files (#3064)</li>
</ul>
<p>Update to 2.0.2 (jsc#SLE-23879)</p>
<ul>
<li>Enhancements<ul>
<li>Update sigstore/sigstore to v1.6.2 to pick up TUF CDN change (#2891)</li>
<li>feat: Make cosign copy faster (#2901)</li>
<li>remove sget (#2885)</li>
<li>Require a payload to be provided with a signature (#2785)</li>
</ul>
</li>
<li>Bug Fixes<ul>
<li>cmd: Change error message from KeyParseError to PubKeyParseError for verify-blob. (#2876)</li>
<li>Use SOURCE_DATE_EPOCH for OCI CreatedAt times (#2878)</li>
</ul>
</li>
<li>Documentation<ul>
<li>Remove experimental warning from Fulcio flags (#2923)</li>
<li>add missing oidc provider (#2922)</li>
<li>Add zot as a supported registry (#2920)</li>
<li>deprecates kms_support docs (#2900)</li>
<li>chore(docs) deprecate note for usage docs (#2906)</li>
<li>adds note of deprecation for examples.md docs (#2899)</li>
</ul>
</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
openSUSE Leap 15.4
<br/>
<code>zypper in -t patch SUSE-2023-4870=1 openSUSE-SLE-15.4-2023-4870=1</code>
</li>
<li class="list-group-item">
openSUSE Leap 15.5
<br/>
<code>zypper in -t patch openSUSE-SLE-15.5-2023-4870=1</code>
</li>
<li class="list-group-item">
Basesystem Module 15-SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-4870=1</code>
</li>
<li class="list-group-item">
Basesystem Module 15-SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2023-4870=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
<ul>
<li>cosign-2.2.1-150400.3.14.1</li>
<li>cosign-debuginfo-2.2.1-150400.3.14.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
<ul>
<li>cosign-2.2.1-150400.3.14.1</li>
</ul>
</li>
<li>
Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64)
<ul>
<li>cosign-2.2.1-150400.3.14.1</li>
</ul>
</li>
<li>
Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64)
<ul>
<li>cosign-2.2.1-150400.3.14.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2023-46737.html">https://www.suse.com/security/cve/CVE-2023-46737.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1216933">https://bugzilla.suse.com/show_bug.cgi?id=1216933</a>
</li>
<li>
<a href="https://jira.suse.com/browse/SLE-23879">https://jira.suse.com/browse/SLE-23879</a>
</li>
</ul>
</div>