SUSE-SU-2025:1333-1
- Source
- https://www.suse.com/support/update/announcement/2025/suse-su-20251333-1/
- Import Source
- https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2025:1333-1.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/SUSE-SU-2025:1333-1
- Related
- Published
- 2025-04-17T01:38:19Z
- Modified
- 2025-04-17T12:30:39.949091Z
- Upstream
- Summary
- Security update for cosign
- Details
-
This update for cosign fixes the following issues:
- CVE-2024-6104: cosign: hashicorp/go-retryablehttp: Fixed sensitive information disclosure to log file (bsc#1227031)
- CVE-2024-51744: cosign: github.com/golang-jwt/jwt/v4: Fixed bad documentation of error handling in ParseWithClaims leading to potentially dangerous situations (bsc#1232985)
- CVE-2025-27144: cosign: github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3: Fixed denial of service in Go JOSE's Parsing (bsc#1237682)
- CVE-2025-22870: cosign: golang.org/x/net/proxy: Fixed proxy bypass using IPv6 zone IDs (bsc#1238693)
- CVE-2025-22868: cosign: golang.org/x/oauth2/jws: Fixed unexpected memory consumption during token parsing (bsc#1239204)
- CVE-2025-22869: cosign: golang.org/x/crypto/ssh: Fixed denial of service in the Key Exchange (bsc#1239337)
Other fixes:
Update to version 2.5.0 (jsc#SLE-23476):
- Update sigstore-go to pick up bug fixes (#4150)
- Update golangci-lint to v2, update golangci-lint-action (#4143)
- Feat/non filename completions (#4115)
- update builder to use go1.24.1 (#4116)
- Add support for new bundle specification for attesting/verifying OCI image attestations (#3889)
- Remove cert log line (#4113)
- cmd/cosign/cli: fix typo in ignoreTLogMessage (#4111)
- bump to latest scaffolding release for testing (#4099)
- increase 2e2_test docker compose tiemout to 180s (#4091)
- Fix replace with compliant image mediatype (#4077)
- Add TSA certificate related flags and fields for cosign attest (#4079)
Update to version 2.4.3 (jsc#SLE-23476):
- Enable fetching signatures without remote get. (#4047)
- Bump sigstore/sigstore to support KMS plugins (#4073)
- sort properly Go imports (#4071)
- sync comment with parameter name in function signature (#4063)
- fix go imports order to be alphabetical (#4062)
- fix comment typo and imports order (#4061)
- Feat/file flag completion improvements (#4028)
- Udpate builder to use go1.23.6 (#4052)
- Refactor verifyNewBundle into library function (#4013)
- fix parsing error in --only for cosign copy (#4049)
- Fix codeowners syntax, add dep-maintainers (#4046)
Update to version 2.4.2 (jsc#SLE-23476):
- Updated open-policy-agent to 1.1.0 library (#4036)
- Note that only Rego v0 policies are supported at this time
- Add UseSignedTimestamps to CheckOpts, refactor TSA options (#4006)
- Add support for verifying root checksum in cosign initialize (#3953)
- Detect if user supplied a valid protobuf bundle (#3931)
- Add a log message if user doesn't provide --trusted-root (#3933)
- Support mTLS towards container registry (#3922)
- Add bundle create helper command (#3901)
- Add trusted-root create helper command (#3876) Bug Fixes:
- fix: set tls config while retaining other fields from default http transport (#4007)
- policy fuzzer: ignore known panics (#3993)
- Fix for multiple WithRemote options (#3982)
- Add nightly conformance test workflow (#3979)
- Fix copy --only for signatures + update/align docs (#3904)
- Updated open-policy-agent to 1.1.0 library (#4036)
- References
-
- https://www.suse.com/support/update/announcement/2025/suse-su-20251333-1/
- https://bugzilla.suse.com/1227031
- https://bugzilla.suse.com/1232985
- https://bugzilla.suse.com/1237682
- https://bugzilla.suse.com/1238693
- https://bugzilla.suse.com/1239204
- https://bugzilla.suse.com/1239337
- https://www.suse.com/security/cve/CVE-2024-51744
- https://www.suse.com/security/cve/CVE-2024-6104
- https://www.suse.com/security/cve/CVE-2025-22868
- https://www.suse.com/security/cve/CVE-2025-22869
- https://www.suse.com/security/cve/CVE-2025-22870
- https://www.suse.com/security/cve/CVE-2025-27144
Affected packages
SUSE:Linux Enterprise Module for Basesystem 15 SP6 / cosign
Package
- Name
- cosign
- Purl
- pkg:rpm/suse/cosign&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6
SUSE:Linux Enterprise High Performance Computing 15 SP4-ESPOS / cosign
Package
- Name
- cosign
- Purl
- pkg:rpm/suse/cosign&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOS
SUSE:Linux Enterprise High Performance Computing 15 SP4-LTSS / cosign
Package
- Name
- cosign
- Purl
- pkg:rpm/suse/cosign&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSS
SUSE:Linux Enterprise High Performance Computing 15 SP5-ESPOS / cosign
Package
- Name
- cosign
- Purl
- pkg:rpm/suse/cosign&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOS
SUSE:Linux Enterprise High Performance Computing 15 SP5-LTSS / cosign
Package
- Name
- cosign
- Purl
- pkg:rpm/suse/cosign&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSS
SUSE:Linux Enterprise Server 15 SP4-LTSS / cosign
Package
- Name
- cosign
- Purl
- pkg:rpm/suse/cosign&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSS
SUSE:Linux Enterprise Server 15 SP5-LTSS / cosign
Package
- Name
- cosign
- Purl
- pkg:rpm/suse/cosign&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSS
SUSE:Linux Enterprise Server for SAP Applications 15 SP4 / cosign
Package
- Name
- cosign
- Purl
- pkg:rpm/suse/cosign&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4
SUSE:Linux Enterprise Server for SAP Applications 15 SP5 / cosign
Package
- Name
- cosign
- Purl
- pkg:rpm/suse/cosign&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5
SUSE:Manager Proxy 4.3 / cosign
Package
- Name
- cosign
- Purl
- pkg:rpm/suse/cosign&distro=SUSE%20Manager%20Proxy%204.3
SUSE:Manager Server 4.3 / cosign
Package
- Name
- cosign
- Purl
- pkg:rpm/suse/cosign&distro=SUSE%20Manager%20Server%204.3