SUSE SLED15 / SLES15 Security Update : cosign (SUSE-SU-2026:2365-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:2365-1 advisory. This update for cosign fixes the following issue - CVE-2026-39395: Incorrect attestation verification due to malformed...

Security update for cosign

This update for cosign fixes the following issue CVE-2026-39395: Incorrect attestation verification due to malformed payloads or mismatched predicate types bsc1261859. Changes for cosign: update to 3.0.6: Fix DSSE predicate check GHSA-w6c6-c85g-mmv6 4801 Handle whitespace-only certificate...

SUSE-SU-2026:2365-1 Security update for cosign

This update for cosign fixes the following issue - CVE-2026-39395: Incorrect attestation verification due to malformed payloads or mismatched predicate types bsc1261859. Changes for cosign: - update to 3.0.6: Fix DSSE predicate check GHSA-w6c6-c85g-mmv6 4801 Handle whitespace-only certificate...

Moderate: Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: cosign: cosign-3.1.1-0.1.hum1 aarch64, x8664 cosign-3.1.1-0.1.hum1.src src...

OPENSUSE-SU-2026:10753-1 cosign-3.0.6-1.1 on GA media

These are all security issues fixed in the cosign-3.0.6-1.1 package on the GA media of openSUSE Tumbleweed...

OPENSUSE-SU-2026:20662-1 Security update for hauler

This update for hauler fixes the following issues: Changes in hauler: - update to 1.4.2 bsc1258614, CVE-2026-24122: Bump github.com/theupdateframework/go-tuf/v2 from 2.3.0 to 2.3.1 in the gomodules group across 1 directory fix for new helm chart features Bump github.com/sigstore/rekor from 1.4.3 ...

SUSE SLED15 / SLES15 Security Update : cosign (SUSE-SU-2026:1486-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:1486-1 advisory. This update for cosign rebuilds it against the current go 1.25 security release. Tenable has extracted the preceding...

Security update for cosign

This update for cosign rebuilds it against the current go 1.25 security release. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch". Alternatively you can run the command listed for your product: SUSE Linux...

SUSE-SU-2026:1486-1 Security update for cosign

This update for cosign rebuilds it against the current go 1.25 security release...

CVE-2026-39984 vulnerabilities

Vulnerabilities for packages: aactl, spire-server, docker-cli-buildx, goreleaser, buildkitd, cosign, crossplane, policy-controller, kyverno-notation-aws, trivy, vexctl, zot, trivy-operator, zarf, falcoctl, skaffold, tekton-chains, gitsign, flux-source-controller, docker, witness,...

GHSA-XM5M-WGH2-RRG3 vulnerabilities

Vulnerabilities for packages: aactl, spire-server, docker-cli-buildx, goreleaser, buildkitd, cosign, crossplane, policy-controller, kyverno-notation-aws, trivy, vexctl, zot, trivy-operator, zarf, falcoctl, skaffold, tekton-chains, gitsign, flux-source-controller, docker, witness,...

CVE-2026-32281 vulnerabilities

Vulnerabilities for packages: dbmate, temporal-ui-server, cert-manager, nri-nginx, thanos-operator, infinispan-operator, aws-eks-pod-identity-agent, rancher-fleet, incert, vendir, redka, vault-k8s, timoni, amazon-k8s-cni, mc, timescaledb-parallel-copy, falcoctl, hcloud, sftpgo-plugin-eventsearch,...

SUSE CVE-2026-39395

Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures,...

BIT-COSIGN-2026-39395 Cosign's verify-blob-attestation reports false positive when payload parsing fails

Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures,...

CVE-2026-39395

A flaw was found in Cosign, a tool for code signing and transparency for containers and binaries. A remote attacker could exploit this vulnerability by providing malformed payloads or attestations with mismatched predicate types. This could lead to Cosign erroneously reporting a "Verified OK"...

Cosign's verify-blob-attestation reports false positive when payload parsing fails

Description cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For...

Linux Distros Unpatched Vulnerability : CVE-2026-39395

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a...

Missing Report of Error Condition

Overview Affected versions of this package are vulnerable to Missing Report of Error Condition in the verify-blob-attestation module when used without --check-claims flag. An attacker can cause the system to incorrectly report successful verification of attestations with malformed payloads or...

Missing Report of Error Condition

Overview github.com/sigstore/cosign/cmd/cosign/cli/verify is a package that aims to make signatures invisible infrastructure. Affected versions of this package are vulnerable to Missing Report of Error Condition in the verify-blob-attestation module when used without --check-claims flag. An...

Missing Report of Error Condition

Overview Affected versions of this package are vulnerable to Missing Report of Error Condition in the verify-blob-attestation module when used without --check-claims flag. An attacker can cause the system to incorrectly report successful verification of attestations with malformed payloads or...