Your message dated Sun, 15 Mar 2026 12:49:30 +0000
with message-id <[email protected]>
and subject line Bug#1128652: fixed in cosign 3.0.5-1~exp0
has caused the Debian Bug report #1128652,
regarding cosign: CVE-2026-24122
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1128652: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128652
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: cosign
Version: 2.6.2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for cosign.
CVE-2026-24122[0]:
| Cosign provides code signing and transparency for containers and
| binaries. In versions 3.0.4 and below, an issuing certificate with a
| validity that expires before the leaf certificate will be considered
| valid during verification even if the provided timestamp would mean
| the issuing certificate should be considered expired. When verifying
| artifact signatures using a certificate, Cosign first verifies the
| certificate chain using the leaf certificate's "not before"
| timestamp and later checks expiry of the leaf certificate using
| either a signed timestamp provided by the Rekor transparency log or
| from a timestamp authority, or using the current time. The root and
| all issuing certificates are assumed to be valid during the leaf
| certificate's validity. There is no impact to users of the public
| Sigstore infrastructure. This may affect private deployments with
| customized PKIs. This issue has been fixed in version 3.0.5.
I'm still filling the issue for tracking, but afaiu this is a small
issue in practice.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-24122
https://www.cve.org/CVERecord?id=CVE-2026-24122
[1] https://github.com/sigstore/cosign/security/advisories/GHSA-wfqv-66vq-46rm
[2]
https://github.com/sigstore/cosign/commit/3c9a7363f563db76d78e2de2cabd945450f3781e
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: cosign
Source-Version: 3.0.5-1~exp0
Done: Simon Josefsson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
cosign, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Josefsson <[email protected]> (supplier of updated cosign package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 15 Mar 2026 13:00:18 +0100
Source: cosign
Architecture: source
Version: 3.0.5-1~exp0
Distribution: experimental
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Simon Josefsson <[email protected]>
Closes: 1121251 1128652
Changes:
cosign (3.0.5-1~exp0) experimental; urgency=medium
.
* New upstream (Closes: #1121251)
- Fix CVE-2026-24122 (Closes: #1128652)
* Make d/watch look for non-v2
* Use gbp debian-branch debian/experimental
* Refresh patches
Checksums-Sha1:
bd3a046de9551897feb82759e9dabd4b98233ba7 4142 cosign_3.0.5-1~exp0.dsc
11cfb24bf0b44b40f97b71caa23fd2092a64dd81 694064 cosign_3.0.5.orig.tar.xz
2d3b799198455f260b7f7004c04d108eab786b93 5108 cosign_3.0.5-1~exp0.debian.tar.xz
219472bf7ca08125bfb3f6405eb93d761f58e648 2006316 cosign_3.0.5-1~exp0.git.tar.xz
71da4cffa94542e16907d577e2f96ac9c2424b0b 17312
cosign_3.0.5-1~exp0_source.buildinfo
Checksums-Sha256:
9fa7646a7c195ea71d27034f52af37b680364a6fb7cf97738ecfd9c03c581194 4142
cosign_3.0.5-1~exp0.dsc
e2cda7437080084b445545e655efb75d4bcb1d9e6480e9ae4ae7d020565838e7 694064
cosign_3.0.5.orig.tar.xz
006e21ec34ff7c43319c80f6aeefee0e2c18a44c4a089d59a3b9ad3b1f22e6a2 5108
cosign_3.0.5-1~exp0.debian.tar.xz
00127da0542f80d82c7cc5be5d0d6967b34ee58e99e2cc2f8cdf1072ab6210d2 2006316
cosign_3.0.5-1~exp0.git.tar.xz
4ab13320373424fbfe8b14f67f3f86f1705da7f2b7f151f65e66e855acf036e7 17312
cosign_3.0.5-1~exp0_source.buildinfo
Files:
44cd08ae4e4e75a3adc8486eb926c02b 4142 golang optional cosign_3.0.5-1~exp0.dsc
2617db0493a5e6c60b15410975080206 694064 golang optional
cosign_3.0.5.orig.tar.xz
e0bae25ecec572bc698d8a68ed709665 5108 golang optional
cosign_3.0.5-1~exp0.debian.tar.xz
fdd504b522d243784623d825fc049051 2006316 golang None
cosign_3.0.5-1~exp0.git.tar.xz
5bbd9e363bf44d1c676168c1f7bb1ee6 17312 golang optional
cosign_3.0.5-1~exp0_source.buildinfo
Git-Tag-Info: tag=24000c0867b1a68aae21d1a04d8517aaeba3efcc
fp=a3cc9c870b9d310abad4cf2f51722b08fe4745a2
Git-Tag-Tagger: Simon Josefsson <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmm2pzAACgkQYG0ITkaD
wHk8FxAAhVjl3uSND7hocGcUNxPMEKw/ThTv0CwFvgzIbjgUgm5tLnH7nKy69RLx
Fv4l+ypWy0OuGsidhCwo9fM2T2Jytj87BOPbVYgU+h2MZgCGH9zuLcYAaOJtJWSm
su5NsiamRFEcu5uAxxfDiGYryat3JgDiPZg0fgC+egcgs+ZKCeLVwwZmDPnjq4xR
OM8B8thtQQYNyJefxUXsMtSQrYYS9IGwxwZCb/chzBA2nvDJRh1ffMkcmDOYYa2R
VyHJYyrWrilvAtJtXRrYVSz9PmMkmU+HKytxD3vI6z2oAKgE/6gbddc4t37vFhZF
T7zjWNdjOdKJ8lh62GCZxGA+FGXVxLb0uvX9aPZt/1/UcK0iUYBnYVVsf2O2UsGd
jU+aXjgHghi3aoXzCs2sSVDl3hHLtxXAwZFXT2BwwMi9sqfyvWM4PP54IpMI2EVf
bcJ4TgS+lC6ZX641qNDNH6O433/973wIX6XdN6u6IQviaL2N16r6qGwFQbw5r36v
n+fwGhtfT8WK/FXH3JDZWlWDTONDqc2ieYSLqZ1nwezp2iim7grEwiz2uz6Y08Ni
vqA1K9+mc0MOsGOlAc1hNr8zyqeNp5QcQipsRqG0TrvvkdcuqA6fBTyFrHUuN/qt
nf5+uwciLygx6VdjeufRYw64+X//KlyXkrFwT2FhtRZ07igICL0=
=oyCB
-----END PGP SIGNATURE-----
pgpmzTpcJsq7l.pgp
Description: PGP signature
--- End Message ---
