19 matches found
OPENSUSE-SU-2026:20386-1 Security update for cosign
This update for cosign fixes the following issues: Update to version 3.0.5: - CVE-2026-24122: Fixed improper validation of certificates that outlive expired CA certificates bsc1258542 - CVE-2026-26958: Fixed filippo.io/edwards25519: failure to initialize receiver in MultiScalarMult can produce...
SUSE-SU-2026:20904-1 Security update for cosign
This update for cosign fixes the following issues: Update to version 3.0.5: - CVE-2026-24122: Fixed improper validation of certificates that outlive expired CA certificates bsc1258542 - CVE-2026-26958: Fixed filippo.io/edwards25519: failure to initialize receiver in MultiScalarMult can produce...
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : cosign (SUSE-SU-2026:0777-1)
The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0777-1 advisory. Update to version 3.0.5 jscSLE-23879. Security issues fixed: - CVE-2025-11065:...
GO-2026-4309 Cosign verification accepts any valid Rekor entry under certain conditions in github.com/sigstore/cosign
Cosign verification accepts any valid Rekor entry under certain conditions in github.com/sigstore/cosign...
GHSA-WHQX-F9J3-CH6M Cosign verification accepts any valid Rekor entry under certain conditions
Impact A Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor entry, Cosign verifies the Rekor entry signature, and also compares the artifact's digest, the user's...
EUVD-2026-1868
Cosign verification accepts any valid Rekor entry under certain conditions...
Cosign verification accepts any valid Rekor entry under certain conditions
Impact A Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor entry, Cosign verifies the Rekor entry signature, and also compares the artifact's digest, the user's...
BIT-COSIGN-2026-22703 Cosign verification accepts any valid Rekor entry under certain conditions
Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor...
SUSE CVE-2026-22703
Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor...
CVE-2026-22703
Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor...
CVE-2026-22703
Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor...
UBUNTU-CVE-2026-22703
Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor...
CVE-2026-22703 Cosign verification accepts any valid Rekor entry under certain conditions
Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor...
CVE-2026-22703 Cosign verification accepts any valid Rekor entry under certain conditions
Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor...
CVE-2026-22703
Cosign prior to versions 2.6.2 and 3.0.4 could verify a Rekor entry without actually checking the artifact digest, signature, or public key, allowing a malicious actor to craft a valid bundle from any Rekor entry and evade audit. The issue affects Cosign’s signing/verification workflow and could ...
PT-2026-2253
Name of the Vulnerable Software and Affected Versions Cosign versions prior to 2.6.2 and 3.0.4 Description Cosign is a tool providing code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, a crafted Cosign bundle could successfully verify an artifact even if...
EUVD-2024-3224
Malicious code in bioql PyPI...
Incorrect Rekor Entry Selection
github.com/sigstore/gitsign is vulnerable to Incorrect Rekor entry selection. The vulnerability is due to gitsign not correctly handling situations where multiple Rekor entries are returned during online verification, leading it to potentially select the wrong one. It allows an attacker to...
CVE-2024-51746
Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. gitsign may select the wrong Rekor entry to use during online verification when multiple entries are returned by the log. gitsign uses Rekor's search API to fetch entries that apply to a signature...