Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP4:Update
patchinfo.32493
_patchinfo
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _patchinfo of Package patchinfo.32493
<patchinfo incident="32493"> <issue tracker="jsc" id="SLE-23879"/> <issue tracker="cve" id="2023-48795"/> <issue tracker="bnc" id="1218207">VUL-0: CVE-2023-48795: cosign: golang.org/x/crypto/ssh: prefix truncation breaking ssh channel integrity</issue> <packager>msmeissn</packager> <rating>moderate</rating> <category>security</category> <summary>Security update for cosign</summary> <description>This update for cosign fixes the following issues: Updated to 2.2.3 (jsc#SLE-23879): Bug Fixes: * Fix race condition on verification with multiple signatures attached to image (#3486) * fix(clean): Fix clean cmd for private registries (#3446) * Fixed BYO PKI verification (#3427) Features: * Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466) * Add support for OpenVEX predicate type (#3405) Documentation: * Resolves #3088: `version` sub-command expected behaviour documentation and testing (#3447) * add examples for cosign attach signature cmd (#3468) Misc: * Remove CertSubject function (#3467) * Use local rekor and fulcio instances in e2e tests (#3478) - bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207) Updated to 2.2.2 (jsc#SLE-23879): v2.2.2 adds a new container with a shell, gcr.io/projectsigstore/cosign:vx.y.z-dev, in addition to the existing container gcr.io/projectsigstore/cosign:vx.y.z without a shell. For private deployments, we have also added an alias for --insecure-skip-log, --private-infrastructure. Bug Fixes: * chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#3411) which fixes a bug with using Azure KMS * Don't require CT log keys if using a key/sk (#3415) * Fix copy without any flag set (#3409) * Update cosign generate cmd to not include newline (#3393) * Fix idempotency error with signing (#3371) Features: * Add --yes flag cosign import-key-pair to skip the overwrite confirmation. (#3383) * Use the timeout flag value in verify* commands. (#3391) * add --private-infrastructure flag (#3369) Container Updates: * Bump builder image to use go1.21.4 and add new cosign image tags with shell (#3373) Documentation: * Update SBOM_SPEC.md (#3358) - CVE-2023-48795: Fixed the Terrapin attack in embedded golang.org/x/crypto/ssh (bsc#1218207). </description> </patchinfo>
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor