Your message dated Wed, 18 Feb 2026 21:18:48 +0000
with message-id <[email protected]>
and subject line Bug#1126764: fixed in cosign 2.6.2-1
has caused the Debian Bug report #1126764,
regarding cosign: CVE-2026-22703
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126764: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126764
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: cosign
Version: 2.5.0-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/sigstore/cosign/pull/4623
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for cosign.
CVE-2026-22703[0]:
| Cosign provides code signing and transparency for containers and
| binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be
| crafted to successfully verify an artifact even if the embedded
| Rekor entry does not reference the artifact's digest, signature or
| public key. When verifying a Rekor entry, Cosign verifies the Rekor
| entry signature, and also compares the artifact's digest, the user's
| public key from either a Fulcio certificate or provided by the user,
| and the artifact signature to the Rekor entry contents. Without
| these comparisons, Cosign would accept any response from Rekor as
| valid. A malicious actor that has compromised a user's identity or
| signing key could construct a valid Cosign bundle by including any
| arbitrary Rekor entry, thus preventing the user from being able to
| audit the signing event. This issue has been patched in versions
| 2.6.2 and 3.0.4.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-22703
https://www.cve.org/CVERecord?id=CVE-2026-22703
[1] https://github.com/sigstore/cosign/pull/4623
[2] https://github.com/sigstore/cosign/security/advisories/GHSA-whqx-f9j3-ch6m
[3]
https://github.com/sigstore/cosign/commit/3ade80c5f77cefc904f8c994e88618e5892e8f1c
https://github.com/sigstore/cosign/commit/6832fba4928c1ad69400235bbc41212de5006176
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: cosign
Source-Version: 2.6.2-1
Done: Simon Josefsson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
cosign, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Josefsson <[email protected]> (supplier of updated cosign package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 18 Feb 2026 22:07:39 +0100
Source: cosign
Architecture: source
Version: 2.6.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Simon Josefsson <[email protected]>
Closes: 1126764
Changes:
cosign (2.6.2-1) unstable; urgency=medium
.
* Run wrap-and-sort -satbk
* Add lrc.config
.
cosign (2.6.2-1~exp0) experimental; urgency=medium
.
* New upstream version
- Fixes CVE-2026-22703 (Closes: #1126764)
* Use watch v5 tracking git and pinning at v2
* Use gbp upstream-vcs-tag
* Refresh patches
* Add new build deps
* Bump sigstore-go to >=1.1.4
* Drop Priority: optional
* Drop Rules-Requires-Root: no
* Standards-Version: 4.7.3
* Modernize Salsa CI
* Drop lintian field-too-long for Static-Built-Using
* Bump copyright years
* Breaks gitsign<=0.13.0-3
Checksums-Sha1:
c63e9ea3d1b3e2e9bad11141885d7840bd89de17 4076 cosign_2.6.2-1.dsc
ffda79d1fb176858b8b89bd947595ef3e4f92bc1 5960 cosign_2.6.2-1.debian.tar.xz
17d08c75197b30e534bc4a499c30a47201de0c7f 1772076 cosign_2.6.2-1.git.tar.xz
0449d882d50947435c1fa3b0df487ffb4281c1cc 17290 cosign_2.6.2-1_source.buildinfo
Checksums-Sha256:
6164ff55f73d0c0ed761504c452abe020b1c61eacf655464fe47afd429782769 4076
cosign_2.6.2-1.dsc
f5514e2c17c63e6504408c5bbbd0414a24e60655a531863c5fb45d857798cadd 5960
cosign_2.6.2-1.debian.tar.xz
09d96a6e32735f942e03c12fd7c354ecbc12ac719525cd2be87d3594761af460 1772076
cosign_2.6.2-1.git.tar.xz
30f7db5e1c6a5ed1598e055331ebf0bc076b34948082f4b4d0cb12e3fe84c337 17290
cosign_2.6.2-1_source.buildinfo
Files:
f01bba957e5cec626094b7e8e0535ea1 4076 golang optional cosign_2.6.2-1.dsc
f057a6ddb55dc47d412bd4523ad08983 5960 golang optional
cosign_2.6.2-1.debian.tar.xz
755c62d8b6e7fa71ff70207609224a5a 1772076 golang None cosign_2.6.2-1.git.tar.xz
907c7525d72ef88f46abd3f92c2d4e98 17290 golang optional
cosign_2.6.2-1_source.buildinfo
Git-Tag-Info: tag=44066f537fcb01533c2e5b464767e2d9afa5b33f
fp=a3cc9c870b9d310abad4cf2f51722b08fe4745a2
Git-Tag-Tagger: Simon Josefsson <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmmWKnwACgkQYG0ITkaD
wHlypRAA7uRETkyTpofyVtLmK5A5Gsm/t63WSGrkukrN9sqj3Oegkn8KlOD2q4JR
4Sgq6zGuBnX5tOdIO7XR0E8IWP9R87NAA4tg547Vtw4L9HpUd+imQkLam2l9uMif
XcfT6cJ+NXoIewbypg5fqkvgvVvPW1a1AGE1d9crZ6DJ3/S4pSzRZFP67GJxQHtc
Z7LI69mxtwQUYfCGmXQZEyB6QWb6Qg5tbWJJMfWVBVzeCmM+pFcW7gZfg3mNqhwR
wSgELv+4XGa6yL8ptU53patSleH+j9TsmWqvuU5vFVKSMwTU2pNrdkDmtZN1ES3i
4x0MDfzeBn2IYA9TVGiY7R2djrCZwbPQKPmNregJOzlu+dPkd0hPcFcDCkO03D7M
dLAZCWnoQpif/MQjnf95V5MEYwqV8ndi2MnTScVzPGetoP4ky8IZlVrCI4GzyOiI
2VwXL3epc3sPsgKVqdHOwZfdy1mbFnJJYSFXTo+qONuCKhMbTkVt777+Vi/Jt3sx
wkyJ6eQh/yglWmhaV2Gw0aExmEUe6A5OYtF6IAOiOR2V3aEPTHFPoXpZgUeEG6oP
owcAj1A8wc9dBpfOzHB6v74RqiMBXAhn4t3aSp5bGrEODyW3UveRjsrB7VFFKKmN
5t6LQL176pVhjCAjtnKmiY8vz++XSUnLdMxrOFbmPwKIp6pBMJM=
=SxpN
-----END PGP SIGNATURE-----
pgpioNv7pqWvS.pgp
Description: PGP signature
--- End Message ---
