Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cosign for openSUSE:Factory checked in at 2026-02-23 16:12:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cosign (Old) and /work/SRC/openSUSE:Factory/.cosign.new.1977 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cosign" Mon Feb 23 16:12:54 2026 rev:33 rq:1334418 version:3.0.5 Changes: -------- --- /work/SRC/openSUSE:Factory/cosign/cosign.changes 2026-02-20 17:50:38.667564978 +0100 +++ /work/SRC/openSUSE:Factory/.cosign.new.1977/cosign.changes 2026-02-23 16:14:53.395123884 +0100 @@ -1,0 +2,59 @@ +Sun Feb 22 12:25:59 UTC 2026 - [email protected] + +- Update to version 3.0.5: + * CVE-2026-24122: Fixed improper validation of certificates that + outlive expired CA certificates (bsc#1258542) + * CVE-2026-26958: Fixed filippo.io/edwards25519: failure to initialize + receiver in MultiScalarMult can produce invalid results and lead to + undefined behavior (bsc#1258612) + * CVE-2026-24137: Fixed github.com/sigstore/sigstore/pkg/tuf: legacy + TUF client allows for arbitrary file writes with target cache path + traversal (bsc#1257139) + * CVE-2026-22772: Fixed github.com/sigstore/fulcio: bypass MetaIssuer + URL validation bypass can trigger SSRF to arbitrary internal services + (bsc#1256562) + * CVE-2026-23991: Fixed github.com/theupdateframework/go-tuf/v2: denial + of service due to invalid TUF metadata JSON returned by TUF repository + (bsc#1257080) + * CVE-2026-23992: Fixed github.com/theupdateframework/go-tuf/v2: + unauthorized modification to TUF metadata files due to a compromised + or misconfigured TUF repository (bsc#1257085) + + * chore(deps): bump google.golang.org/api from 0.260.0 to 0.264.0 (#4679) + * chore(deps): bump github.com/sigstore/rekor-tiles/v2 from 2.0.1 to 2.1.0 (#4670) + * chore(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 (#4712) + * chore(deps): bump gitlab.com/gitlab-org/api/client-go (#4680) + * chore(deps): bump the gomod group across 1 directory with 4 updates (#4702) + * chore(deps): bump the actions group with 3 updates (#4703) + * update golang builder to use go1.25.7 (#4687) + * update golangci-lint to v2.8.x (#4688) + * Fix typo in CLI help (#4701) + * Support DSSE signing conformance test (#4685) + * chore(deps): bump the actions group across 1 directory with 8 updates (#4689) + * Deprecate rekor-entry-type flag (#4691) + * Deprecate cosign triangulate (#4676) + * Deprecate cosign copy (#4681) + * Enforce TSA requirement for Rekor v2, Fuclio signing (#4683) + * chore(deps): bump github.com/theupdateframework/go-tuf/v2 (#4668) + * chore(deps): bump golang from 1.25.5 to 1.25.6 in the all group (#4673) + * Automatically require signed timestamp with Rekor v2 entries (#4666) + * Fix syntax issue in conformance test, update nightly (#4664) + * Add mTLS support for TSA client connections when signing with a signing config (#4620) + * fix: avoid panic on malformed tlog entry body (#4652) + * Verify validity of chain rather than just certificate (#4663) + * Allow --local-image with --new-bundle-format for v2 and v3 signatures (#4626) + * chore(deps): bump the gomod group across 1 directory with 3 updates (#4662) + * Bump sigstore/sigstore to resolve GHSA (#4660) + * Gracefully fail if bundle payload body is not a string (#4648) + * fix: avoid panic on malformed replace payload (#4653) + * chore(deps): bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 (#4659) + * fix: avoid panic on malformed attestation payload (#4651) + * fix: avoid panic on malformed tlog entries (#4649) + * Update conformance to latest + * docs(cosign): clarify RFC3161 revocation semantics (#4642) + * Add empty predicate to cosign sign when payload type is application/vnd.in-toto+json (#4635) + * chore(deps): bump github.com/sigstore/fulcio from 1.8.4 to 1.8.5 (#4637) + * Add origin key for ctfe trusted root + * Add changelog updates for v3.0.4 and v2.6.2 (#4625) + +------------------------------------------------------------------- Old: ---- cosign-3.0.4.obscpio New: ---- cosign-3.0.5.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cosign.spec ++++++ --- /var/tmp/diff_new_pack.MXG3Us/_old 2026-02-23 16:14:54.223158024 +0100 +++ /var/tmp/diff_new_pack.MXG3Us/_new 2026-02-23 16:14:54.227158189 +0100 @@ -17,7 +17,7 @@ Name: cosign -Version: 3.0.4 +Version: 3.0.5 Release: 0 Summary: Container Signing, Verification and Storage in an OCI registry License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.MXG3Us/_old 2026-02-23 16:14:54.271160004 +0100 +++ /var/tmp/diff_new_pack.MXG3Us/_new 2026-02-23 16:14:54.275160168 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/sigstore/cosign</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v3.0.4</param> + <param name="revision">v3.0.5</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">enable</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.MXG3Us/_old 2026-02-23 16:14:54.299161158 +0100 +++ /var/tmp/diff_new_pack.MXG3Us/_new 2026-02-23 16:14:54.303161323 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/sigstore/cosign</param> - <param name="changesrevision">6832fba4928c1ad69400235bbc41212de5006176</param></service></servicedata> + <param name="changesrevision">479147a4df05f31be48aeb2b3a9d32dfc35ba877</param></service></servicedata> (No newline at EOF) ++++++ cosign-3.0.4.obscpio -> cosign-3.0.5.obscpio ++++++ ++++ 4788 lines of diff (skipped) ++++++ cosign.obsinfo ++++++ --- /var/tmp/diff_new_pack.MXG3Us/_old 2026-02-23 16:14:55.047192000 +0100 +++ /var/tmp/diff_new_pack.MXG3Us/_new 2026-02-23 16:14:55.051192165 +0100 @@ -1,5 +1,5 @@ name: cosign -version: 3.0.4 -mtime: 1767993436 -commit: 6832fba4928c1ad69400235bbc41212de5006176 +version: 3.0.5 +mtime: 1771526541 +commit: 479147a4df05f31be48aeb2b3a9d32dfc35ba877 ++++++ vendor.tar.zst ++++++ /work/SRC/openSUSE:Factory/cosign/vendor.tar.zst /work/SRC/openSUSE:Factory/.cosign.new.1977/vendor.tar.zst differ: char 7, line 1
