Your message dated Wed, 18 Feb 2026 19:49:12 +0000
with message-id <[email protected]>
and subject line Bug#1126764: fixed in cosign 2.6.2-1~exp0
has caused the Debian Bug report #1126764,
regarding cosign: CVE-2026-22703
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126764: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126764
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: cosign
Version: 2.5.0-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/sigstore/cosign/pull/4623
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for cosign.
CVE-2026-22703[0]:
| Cosign provides code signing and transparency for containers and
| binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be
| crafted to successfully verify an artifact even if the embedded
| Rekor entry does not reference the artifact's digest, signature or
| public key. When verifying a Rekor entry, Cosign verifies the Rekor
| entry signature, and also compares the artifact's digest, the user's
| public key from either a Fulcio certificate or provided by the user,
| and the artifact signature to the Rekor entry contents. Without
| these comparisons, Cosign would accept any response from Rekor as
| valid. A malicious actor that has compromised a user's identity or
| signing key could construct a valid Cosign bundle by including any
| arbitrary Rekor entry, thus preventing the user from being able to
| audit the signing event. This issue has been patched in versions
| 2.6.2 and 3.0.4.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-22703
https://www.cve.org/CVERecord?id=CVE-2026-22703
[1] https://github.com/sigstore/cosign/pull/4623
[2] https://github.com/sigstore/cosign/security/advisories/GHSA-whqx-f9j3-ch6m
[3]
https://github.com/sigstore/cosign/commit/3ade80c5f77cefc904f8c994e88618e5892e8f1c
https://github.com/sigstore/cosign/commit/6832fba4928c1ad69400235bbc41212de5006176
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: cosign
Source-Version: 2.6.2-1~exp0
Done: Simon Josefsson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
cosign, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Josefsson <[email protected]> (supplier of updated cosign package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 18 Feb 2026 11:21:05 +0100
Source: cosign
Architecture: source
Version: 2.6.2-1~exp0
Distribution: experimental
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Simon Josefsson <[email protected]>
Closes: 1126764
Changes:
cosign (2.6.2-1~exp0) experimental; urgency=medium
.
* New upstream version
- Fixes CVE-2026-22703 (Closes: #1126764)
* Use watch v5 tracking git and pinning at v2
* Use gbp upstream-vcs-tag
* Refresh patches
* Add new build deps
* Bump sigstore-go to >=1.1.4
* Drop Priority: optional
* Drop Rules-Requires-Root: no
* Standards-Version: 4.7.3
* Modernize Salsa CI
* Drop lintian field-too-long for Static-Built-Using
* Bump copyright years
* Breaks gitsign<=0.13.0-3
Checksums-Sha1:
fdd8d1f18e22c90c0d58ec11005a1d4a272f3f61 4101 cosign_2.6.2-1~exp0.dsc
e8dccb72b1e3a234bd494e27f5dbbef630dbf634 676920 cosign_2.6.2.orig.tar.xz
f9819e919609684ee350a1b708c387c4daa091ab 5820 cosign_2.6.2-1~exp0.debian.tar.xz
a062e394bfef8c9b0bad06c899c75083892d6a1d 1768760 cosign_2.6.2-1~exp0.git.tar.xz
b0b2fab281a8ddec67b16dae20e79a3b0e49c4ba 17310
cosign_2.6.2-1~exp0_source.buildinfo
Checksums-Sha256:
9120d4f4b503370e43f72cb0447dec0885a925e490cab6ae64036a2d62b1e961 4101
cosign_2.6.2-1~exp0.dsc
646ad57f34712aeef32f94771f2df9a394e3f00c6a789ce81087d6531f73103f 676920
cosign_2.6.2.orig.tar.xz
1b578e770c456a5347075089657cce808b4447a28380b1c190eb933ad74354f5 5820
cosign_2.6.2-1~exp0.debian.tar.xz
3d1c96f5826bf39aeb64239a77067c0f45fe72f7d6911e68f1d986aab4416be0 1768760
cosign_2.6.2-1~exp0.git.tar.xz
479953df4f84b30b91a77c18878f1add8dd4bfeac6beb7c8c701ee7754c95df7 17310
cosign_2.6.2-1~exp0_source.buildinfo
Files:
af7ca7f31a48f0a14a72d7b973a5e5e0 4101 golang optional cosign_2.6.2-1~exp0.dsc
78613186b2eed62b5f9e33c7c5d579d2 676920 golang optional
cosign_2.6.2.orig.tar.xz
feeaeaf81ce1d4749509c1391014c27f 5820 golang optional
cosign_2.6.2-1~exp0.debian.tar.xz
acfcf6a5cdfe0645891d6739ce44e84f 1768760 golang None
cosign_2.6.2-1~exp0.git.tar.xz
26318962c0e81fb9f4f9da76f5341a70 17310 golang optional
cosign_2.6.2-1~exp0_source.buildinfo
Git-Tag-Info: tag=e3826849be15088c93365b0035cd01387c3c357f
fp=a3cc9c870b9d310abad4cf2f51722b08fe4745a2
Git-Tag-Tagger: Simon Josefsson <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmmWEhQACgkQYG0ITkaD
wHlRKA/+I8Vh3vuw+ntCVsbup5iirVehc8bOapwCXIHfZElV//LT1UEUc59R5ag4
Y8ZXGhuyoF6cDWm3rzQArBEykR/uwRxhqHunRula63YobA7zsQTfX4LvDo4i0hgG
ngJ8d41IdT5yrbQqsiAT8uWu4eFuQ4QedozwUXjm4lfxj3OA9aTPYRWFipQEKO0+
jn6kbnoKwtHMKzbqAqjuB/2ezRgY4K4P8T+A7xqujn9nukHeJTpzapYsC1oDNYse
6huwmW11vMOKTfdX9Mi/gnwz6hiMt61lpyjC02kju557Ew6ZV2dvL/0YdvnOjU/5
7VVTosflQhlcQaOkrn851sw0GoixHo2uF2z6xAYmjQX3y8JL1GW51XDIwck3sWpn
XIPJ5rX11sSOr24+xL8wSl1jGN4TVmbgFFbHyBhhUowpmf1LSE7L3hO1gy0J6JcJ
GV1/jFg7xvaGrVt+QgPsuBrcY0JAt326SJLARSQBLasyNUYQ0VIeg4lInCtQcgx2
beWjXMrWy2AGlK3mOwfOijFdOi9r704y8/9rhT6ARKC5PfLc37HJI6aD76tZbBn3
xmHH9OBXU/+1kl+YGi/wCBQZQYlj8HAzdc/e/BHDWs0+ALlVtMB4bsNEFVZB8RoR
GP4QuXxbUYxSBhAYY1fTZQv9f6LU+rNd2jMXSJo76tqhh++ptuQ=
=GK4Q
-----END PGP SIGNATURE-----
pgpztAHBevOxd.pgp
Description: PGP signature
--- End Message ---
