Source: cosign Version: 2.5.0-2 Severity: important Tags: security upstream Forwarded: https://github.com/sigstore/cosign/pull/4623 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for cosign. CVE-2026-22703[0]: | Cosign provides code signing and transparency for containers and | binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be | crafted to successfully verify an artifact even if the embedded | Rekor entry does not reference the artifact's digest, signature or | public key. When verifying a Rekor entry, Cosign verifies the Rekor | entry signature, and also compares the artifact's digest, the user's | public key from either a Fulcio certificate or provided by the user, | and the artifact signature to the Rekor entry contents. Without | these comparisons, Cosign would accept any response from Rekor as | valid. A malicious actor that has compromised a user's identity or | signing key could construct a valid Cosign bundle by including any | arbitrary Rekor entry, thus preventing the user from being able to | audit the signing event. This issue has been patched in versions | 2.6.2 and 3.0.4. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-22703 https://www.cve.org/CVERecord?id=CVE-2026-22703 [1] https://github.com/sigstore/cosign/pull/4623 [2] https://github.com/sigstore/cosign/security/advisories/GHSA-whqx-f9j3-ch6m [3] https://github.com/sigstore/cosign/commit/3ade80c5f77cefc904f8c994e88618e5892e8f1c https://github.com/sigstore/cosign/commit/6832fba4928c1ad69400235bbc41212de5006176 Regards, Salvatore
