Описание
Security update for cosign
This update for cosign fixes the following issues:
Update to version 3.0.5:
- CVE-2026-24122: Fixed improper validation of certificates that outlive expired CA certificates (bsc#1258542)
- CVE-2026-26958: Fixed filippo.io/edwards25519: failure to initialize receiver in MultiScalarMult can produce invalid results and lead to undefined behavior (bsc#1258612)
- CVE-2026-24137: Fixed github.com/sigstore/sigstore/pkg/tuf: legacy TUF client allows for arbitrary file writes with target cache path traversal (bsc#1257139)
- CVE-2026-22772: Fixed github.com/sigstore/fulcio: bypass MetaIssuer URL validation bypass can trigger SSRF to arbitrary internal services (bsc#1256562)
- CVE-2026-23991: Fixed github.com/theupdateframework/go-tuf/v2: denial of service due to invalid TUF metadata JSON returned by TUF repository (bsc#1257080)
- CVE-2026-23992: Fixed github.com/theupdateframework/go-tuf/v2: unauthorized modification to TUF metadata files due to a compromised or misconfigured TUF repository (bsc#1257085)
- CVE-2025-11065: Fixed github.com/go-viper/mapstructure/v2: sensitive Information leak in logs (bsc#1250620)
- CVE-2026-22703: Fixed that cosign verification accepts any valid Rekor entry under certain conditions (bsc#1256496)
- CVE-2025-58181: Fixed golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption (bsc#1253913)
Список пакетов
openSUSE Leap 16.0
Ссылки
- SUSE Security Ratings
- SUSE Bug 1250620
- SUSE Bug 1253913
- SUSE Bug 1256496
- SUSE Bug 1256562
- SUSE Bug 1257080
- SUSE Bug 1257085
- SUSE Bug 1257139
- SUSE Bug 1258542
- SUSE Bug 1258612
- SUSE CVE CVE-2025-11065 page
- SUSE CVE CVE-2025-58181 page
- SUSE CVE CVE-2026-22703 page
- SUSE CVE CVE-2026-22772 page
- SUSE CVE CVE-2026-23991 page
- SUSE CVE CVE-2026-23992 page
- SUSE CVE CVE-2026-24122 page
- SUSE CVE CVE-2026-24137 page
- SUSE CVE CVE-2026-26958 page
Описание
A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.
Затронутые продукты
Ссылки
- CVE-2025-11065
- SUSE Bug 1250608
Описание
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
Затронутые продукты
Ссылки
- CVE-2025-58181
- SUSE Bug 1253784
Описание
Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor entry, Cosign verifies the Rekor entry signature, and also compares the artifact's digest, the user's public key from either a Fulcio certificate or provided by the user, and the artifact signature to the Rekor entry contents. Without these comparisons, Cosign would accept any response from Rekor as valid. A malicious actor that has compromised a user's identity or signing key could construct a valid Cosign bundle by including any arbitrary Rekor entry, thus preventing the user from being able to audit the signing event. This issue has been patched in versions 2.6.2 and 3.0.4.
Затронутые продукты
Ссылки
- CVE-2026-22703
- SUSE Bug 1256496
Описание
Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio's metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. This vulnerability is fixed in 1.8.5.
Затронутые продукты
Ссылки
- CVE-2026-22772
- SUSE Bug 1256532
Описание
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.
Затронутые продукты
Ссылки
- CVE-2026-23991
- SUSE Bug 1257079
Описание
go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1.
Затронутые продукты
Ссылки
- CVE-2026-23992
- SUSE Bug 1257084
Описание
Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a validity that expires before the leaf certificate will be considered valid during verification even if the provided timestamp would mean the issuing certificate should be considered expired. When verifying artifact signatures using a certificate, Cosign first verifies the certificate chain using the leaf certificate's "not before" timestamp and later checks expiry of the leaf certificate using either a signed timestamp provided by the Rekor transparency log or from a timestamp authority, or using the current time. The root and all issuing certificates are assumed to be valid during the leaf certificate's validity. There is no impact to users of the public Sigstore infrastructure. This may affect private deployments with customized PKIs. This issue has been fixed in version 3.0.5.
Затронутые продукты
Ссылки
- CVE-2026-24122
- SUSE Bug 1258540
Описание
sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target name sourced from signed target metadata; however, it does not validate that the resulting path stays within the cache base directory. A malicious TUF repository can trigger arbitrary file overwriting, limited to the permissions that the calling process has. Note that this should only affect clients that are directly using the TUF client in sigstore/sigstore or are using an older version of Cosign. Public Sigstore deployment users are unaffected, as TUF metadata is validated by a quorum of trusted collaborators. This issue has been fixed in version 1.10.4. As a workaround, users can disable disk caching for the legacy client by setting SIGSTORE_NO_CACHE=true in the environment, migrate to https://github.com/sigstore/sigstore-go/tree/main/pkg/tuf, or upgrade to the latest sigstore/sigstore release.
Затронутые продукты
Ссылки
- CVE-2026-24137
- SUSE Bug 1257137
Описание
filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Point).MultiScalarMult is called on an initialized point that is not the identity point, it returns an incorrect result. If the method is called on an uninitialized point, the behavior is undefined. In particular, if the receiver is the zero value, MultiScalarMult returns an invalid point that compares Equal to every other point. Note that MultiScalarMult is a rarely used, advanced API. For example, users who depend on filippo.io/edwards25519 only through github.com/go-sql-driver/mysql are not affected. This issue has been fixed in version 1.1.1.
Затронутые продукты
Ссылки
- CVE-2026-26958
- SUSE Bug 1258570