From: carnil@debian.org
Source: cosign
Version: 2.6.2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team
Hi,
The following vulnerability was published for cosign.
CVE-2026-24122[0]:
| Cosign provides code signing and transparency for containers and
| binaries. In versions 3.0.4 and below, an issuing certificate with a
| validity that expires before the leaf certificate will be considered
| valid during verification even if the provided timestamp would mean
| the issuing certificate should be considered expired. When verifying
| artifact signatures using a certificate, Cosign first verifies the
| certificate chain using the leaf certificate's "not before"
| timestamp and later checks expiry of the leaf certificate using
| either a signed timestamp provided by the Rekor transparency log or
| from a timestamp authority, or using the current time. The root and
| all issuing certificates are assumed to be valid during the leaf
| certificate's validity. There is no impact to users of the public
| Sigstore infrastructure. This may affect private deployments with
| customized PKIs. This issue has been fixed in version 3.0.5.
I'm still filling the issue for tracking, but afaiu this is a small
issue in practice.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-24122
https://www.cve.org/CVERecord?id=CVE-2026-24122
[1] https://github.com/sigstore/cosign/security/advisories/GHSA-wfqv-66vq-46rm
[2] https://github.com/sigstore/cosign/commit/3c9a7363f563db76d7
e2de2cabd945450f3781e
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
