[SUSE-SU-2024:0430-1] Security update for cosign

Severity Moderate

Affected Packages 4

CVEs 1

Security update for cosign

This update for cosign fixes the following issues:

Updated to 2.2.3 (jsc#SLE-23879):

Bug Fixes:

Fix race condition on verification with multiple signatures attached to image (#3486)
fix(clean): Fix clean cmd for private registries (#3446)
Fixed BYO PKI verification (#3427)

Features:

Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466)
Add support for OpenVEX predicate type (#3405)

Documentation:

Resolves #3088: version sub-command expected behaviour documentation and testing (#3447)
add examples for cosign attach signature cmd (#3468)

Misc:

Remove CertSubject function (#3467)
Use local rekor and fulcio instances in e2e tests (#3478)
bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207)

Updated to 2.2.2 (jsc#SLE-23879):

v2.2.2 adds a new container with a shell,
gcr.io/projectsigstore/cosign:vx.y.z-dev, in addition to the existing
container gcr.io/projectsigstore/cosign:vx.y.z without a shell.

For private deployments, we have also added an alias for
--insecure-skip-log, --private-infrastructure.

Bug Fixes:

chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#3411) which fixes a bug with using Azure KMS
Don't require CT log keys if using a key/sk (#3415)
Fix copy without any flag set (#3409)
Update cosign generate cmd to not include newline (#3393)
Fix idempotency error with signing (#3371)

Features:

Add --yes flag cosign import-key-pair to skip the overwrite confirmation. (#3383)
Use the timeout flag value in verify* commands. (#3391)
add --private-infrastructure flag (#3369)

Container Updates:

Bump builder image to use go1.21.4 and add new cosign image tags with shell (#3373)

Documentation:

Update SBOM_SPEC.md (#3358)
CVE-2023-48795: Fixed the Terrapin attack in embedded golang.org/x/crypto/ssh (bsc#1218207).

Package	Affected Version
pkg:rpm/suse/cosign?arch=x86_64&distro=opensuse-leap-15.5	< 2.2.3-150400.3.17.1
pkg:rpm/suse/cosign?arch=s390x&distro=opensuse-leap-15.5	< 2.2.3-150400.3.17.1
pkg:rpm/suse/cosign?arch=ppc64le&distro=opensuse-leap-15.5	< 2.2.3-150400.3.17.1
pkg:rpm/suse/cosign?arch=aarch64&distro=opensuse-leap-15.5	< 2.2.3-150400.3.17.1

ID

SUSE-SU-2024:0430-1

Severity

moderate

URL

https://www.suse.com/support/update/announcement/2024/suse-su-20240430-1/

Published

2024-02-08T14:03:31
(7 months ago)

Modified

2024-02-08T14:03:31
(7 months ago)

Rights

Other Advisories

Source	Name	URL
Suse	SUSE ratings	https://www.suse.com/support/security/rating/
Suse	URL of this CSAF notice	https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_0430-1.json
Suse	URL for SUSE-SU-2024:0430-1	https://www.suse.com/support/update/announcement/2024/suse-su-20240430-1/
Suse	E-Mail link for SUSE-SU-2024:0430-1	https://lists.suse.com/pipermail/sle-security-updates/2024-February/017891.html
Bugzilla	SUSE Bug 1218207	https://bugzilla.suse.com/1218207
CVE	SUSE CVE CVE-2023-48795 page	https://www.suse.com/security/cve/CVE-2023-48795/

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch
Affected	pkg:rpm/suse/cosign?arch=x86_64&distro=opensuse-leap-15.5	suse	cosign	< 2.2.3-150400.3.17.1	opensuse-leap-15.5	x86_64
Affected	pkg:rpm/suse/cosign?arch=s390x&distro=opensuse-leap-15.5	suse	cosign	< 2.2.3-150400.3.17.1	opensuse-leap-15.5	s390x
Affected	pkg:rpm/suse/cosign?arch=ppc64le&distro=opensuse-leap-15.5	suse	cosign	< 2.2.3-150400.3.17.1	opensuse-leap-15.5	ppc64le
Affected	pkg:rpm/suse/cosign?arch=aarch64&distro=opensuse-leap-15.5	suse	cosign	< 2.2.3-150400.3.17.1	opensuse-leap-15.5	aarch64

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date