- Package:
- src:cosign
- Source:
- src:cosign
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-02 20:37:03 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for cosign. CVE-2026-24122[0]: | Cosign provides code signing and transparency for containers and | binaries. In versions 3.0.4 and below, an issuing certificate with a | validity that expires before the leaf certificate will be considered | valid during verification even if the provided timestamp would mean | the issuing certificate should be considered expired. When verifying | artifact signatures using a certificate, Cosign first verifies the | certificate chain using the leaf certificate's "not before" | timestamp and later checks expiry of the leaf certificate using | either a signed timestamp provided by the Rekor transparency log or | from a timestamp authority, or using the current time. The root and | all issuing certificates are assumed to be valid during the leaf | certificate's validity. There is no impact to users of the public | Sigstore infrastructure. This may affect private deployments with | customized PKIs. This issue has been fixed in version 3.0.5. I'm still filling the issue for tracking, but afaiu this is a small issue in practice. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-24122 https://www.cve.org/CVERecord?id=CVE-2026-24122 [1] https://github.com/sigstore/cosign/security/advisories/GHSA-wfqv-66vq-46rm [2] https://github.com/sigstore/cosign/commit/3c9a7363f563db76d78e2de2cabd945450f3781e Please adjust the affected versions in the BTS as needed. Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of
cosign, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1128652@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Josefsson <simon@josefsson.org> (supplier of updated cosign package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 15 Mar 2026 13:00:18 +0100
Source: cosign
Architecture: source
Version: 3.0.5-1~exp0
Distribution: experimental
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Changed-By: Simon Josefsson <simon@josefsson.org>
Closes: 1121251 1128652
Changes:
cosign (3.0.5-1~exp0) experimental; urgency=medium
.
* New upstream (Closes: #1121251)
- Fix CVE-2026-24122 (Closes: #1128652)
* Make d/watch look for non-v2
* Use gbp debian-branch debian/experimental
* Refresh patches
Checksums-Sha1:
bd3a046de9551897feb82759e9dabd4b98233ba7 4142 cosign_3.0.5-1~exp0.dsc
11cfb24bf0b44b40f97b71caa23fd2092a64dd81 694064 cosign_3.0.5.orig.tar.xz
2d3b799198455f260b7f7004c04d108eab786b93 5108 cosign_3.0.5-1~exp0.debian.tar.xz
219472bf7ca08125bfb3f6405eb93d761f58e648 2006316 cosign_3.0.5-1~exp0.git.tar.xz
71da4cffa94542e16907d577e2f96ac9c2424b0b 17312 cosign_3.0.5-1~exp0_source.buildinfo
Checksums-Sha256:
9fa7646a7c195ea71d27034f52af37b680364a6fb7cf97738ecfd9c03c581194 4142 cosign_3.0.5-1~exp0.dsc
e2cda7437080084b445545e655efb75d4bcb1d9e6480e9ae4ae7d020565838e7 694064 cosign_3.0.5.orig.tar.xz
006e21ec34ff7c43319c80f6aeefee0e2c18a44c4a089d59a3b9ad3b1f22e6a2 5108 cosign_3.0.5-1~exp0.debian.tar.xz
00127da0542f80d82c7cc5be5d0d6967b34ee58e99e2cc2f8cdf1072ab6210d2 2006316 cosign_3.0.5-1~exp0.git.tar.xz
4ab13320373424fbfe8b14f67f3f86f1705da7f2b7f151f65e66e855acf036e7 17312 cosign_3.0.5-1~exp0_source.buildinfo
Files:
44cd08ae4e4e75a3adc8486eb926c02b 4142 golang optional cosign_3.0.5-1~exp0.dsc
2617db0493a5e6c60b15410975080206 694064 golang optional cosign_3.0.5.orig.tar.xz
e0bae25ecec572bc698d8a68ed709665 5108 golang optional cosign_3.0.5-1~exp0.debian.tar.xz
fdd504b522d243784623d825fc049051 2006316 golang None cosign_3.0.5-1~exp0.git.tar.xz
5bbd9e363bf44d1c676168c1f7bb1ee6 17312 golang optional cosign_3.0.5-1~exp0_source.buildinfo
Git-Tag-Info: tag=24000c0867b1a68aae21d1a04d8517aaeba3efcc fp=a3cc9c870b9d310abad4cf2f51722b08fe4745a2
Git-Tag-Tagger: Simon Josefsson <simon@josefsson.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmm2pzAACgkQYG0ITkaD
wHk8FxAAhVjl3uSND7hocGcUNxPMEKw/ThTv0CwFvgzIbjgUgm5tLnH7nKy69RLx
Fv4l+ypWy0OuGsidhCwo9fM2T2Jytj87BOPbVYgU+h2MZgCGH9zuLcYAaOJtJWSm
su5NsiamRFEcu5uAxxfDiGYryat3JgDiPZg0fgC+egcgs+ZKCeLVwwZmDPnjq4xR
OM8B8thtQQYNyJefxUXsMtSQrYYS9IGwxwZCb/chzBA2nvDJRh1ffMkcmDOYYa2R
VyHJYyrWrilvAtJtXRrYVSz9PmMkmU+HKytxD3vI6z2oAKgE/6gbddc4t37vFhZF
T7zjWNdjOdKJ8lh62GCZxGA+FGXVxLb0uvX9aPZt/1/UcK0iUYBnYVVsf2O2UsGd
jU+aXjgHghi3aoXzCs2sSVDl3hHLtxXAwZFXT2BwwMi9sqfyvWM4PP54IpMI2EVf
bcJ4TgS+lC6ZX641qNDNH6O433/973wIX6XdN6u6IQviaL2N16r6qGwFQbw5r36v
n+fwGhtfT8WK/FXH3JDZWlWDTONDqc2ieYSLqZ1nwezp2iim7grEwiz2uz6Y08Ni
vqA1K9+mc0MOsGOlAc1hNr8zyqeNp5QcQipsRqG0TrvvkdcuqA6fBTyFrHUuN/qt
nf5+uwciLygx6VdjeufRYw64+X//KlyXkrFwT2FhtRZ07igICL0=
=oyCB
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
cosign, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1128652@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Josefsson <simon@josefsson.org> (supplier of updated cosign package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 02 Jun 2026 21:11:56 +0200
Source: cosign
Architecture: source
Version: 3.0.6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Changed-By: Simon Josefsson <simon@josefsson.org>
Closes: 1121251 1128652 1133005
Changes:
cosign (3.0.6-1) unstable; urgency=medium
.
* Upload to unstable
* Use gbp debian-branch debian/latest
* Breaks gittuf<=0.13.1
.
cosign (3.0.6-1~exp0) experimental; urgency=medium
.
* New upstream version
- Fixes CVE-2026-39395 (Closes: #1133005)
* Standards-Version: 4.7.4
* Bump Breaks for v3 transition
* Bump upstream copyright years
* Improve lrc.config
.
cosign (3.0.5-1~exp0) experimental; urgency=medium
.
* New upstream (Closes: #1121251)
- Fix CVE-2026-24122 (Closes: #1128652)
* Make d/watch look for non-v2
* Use gbp debian-branch debian/experimental
* Refresh patches
Checksums-Sha1:
1f9cabefee74c2c2b2efc1e18216f1f9496750be 4116 cosign_3.0.6-1.dsc
22937a885bf6dc9d320a6ac49acbdbae55e4bcf1 5236 cosign_3.0.6-1.debian.tar.xz
8761b323287e04c9385079e0dba061f15ad2157a 2286600 cosign_3.0.6-1.git.tar.xz
386c35fbd5a3f46aff7744e8159a294d309a2ab2 17481 cosign_3.0.6-1_source.buildinfo
Checksums-Sha256:
6875a6c65d7e33c0d902aced501c5322fdd2b5d4ae28c34a4ac3f23bf1291aa1 4116 cosign_3.0.6-1.dsc
c8992eb1d761aa90bcb0e1798cd5fe28e2aa8f88caa9ebd967875054de63682d 5236 cosign_3.0.6-1.debian.tar.xz
16510bdf8d04e2628f2a45ccdfbbf049b3c4477baf9ba1c22c37dd81bf44db0d 2286600 cosign_3.0.6-1.git.tar.xz
47e7c4ca6b9dcf79b8eec2492f3949743aef247fbff023b2f79c30e82587e2bc 17481 cosign_3.0.6-1_source.buildinfo
Files:
5098bf06eb0aee54eab79c1124498e3b 4116 golang optional cosign_3.0.6-1.dsc
b549f9c248f1b203322fd6c8346acb32 5236 golang optional cosign_3.0.6-1.debian.tar.xz
a39ea176dbd917f8c5494a5be2ec0e76 2286600 golang None cosign_3.0.6-1.git.tar.xz
b3a9d62c3037044b0a8839fb30f223ae 17481 golang optional cosign_3.0.6-1_source.buildinfo
Git-Tag-Info: tag=3d31f47751c79e24ea76effe6dbe0c49261f32a4 fp=a3cc9c870b9d310abad4cf2f51722b08fe4745a2
Git-Tag-Tagger: Simon Josefsson <simon@josefsson.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmofMxAACgkQYG0ITkaD
wHlM6w/+JIi5egP2P9WFFVqzSan4vpDznDXHnkobAtv+u8F3xH6rL9U7vZhVR06H
NHjuI1Vs0L8VcouD+cRO12pfj7QBeai0TzjMvmd47o8BlwdlOVMNSp9KhGM95J1L
ddQYs5Xv71SgxNhQcQpwc0wuiqB/6wTl24BlEpOTv1ZIRZQEEFNrPK/YJFArwAwo
L0rDz4rTWoVtK5c6DLgIqirsxD2xkELEihuctB+gsEgnRBZ/CtW4RrPmYRMZEw6t
eRFzF+e21oBfBEovy/RQVKzLcXXsP/apQDe18A0oqGsVzzCXmiu9zOdat0BZJICv
3GNfEw+8zyLwhoVTlKg/jXgFN8nMUuKWlds3f8pPRRkxWzjzs8W+coXh1dBgffJf
3G+W14j83z71RfiKMXQVVzJcCc2VsO7+m43GzSZyWBP4Zth6vEX734/3YR1uS5Y2
GLK4cYEROD/pwYNDTY0E0wxe+ZdEF0B72bGOgPY5Lw5aAE2m+22Wg0vLAG0E5D6S
5bdu1MywA3BWR2FMGyNeGnviid8coN5Q/owhJY25LhMzq4i+nHXIppQiZ347fr52
bKHiHa7G+w681q+fl9Go16yZjQ7ylLtuF5TkZQEqX3TS7wwzWpBmnyIxzmAUO9I+
FNDRFEGlTx4cQccrmad6sjO1rc/uLCgjMXzvGdUbYVTVRW4Oi9g=
=jKWO
-----END PGP SIGNATURE-----