Source: cosign Version: 2.6.2-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for cosign. CVE-2026-39395[0]: | Cosign provides code signing and transparency for containers and | binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation | may erroneously report a "Verified OK" result for attestations with | malformed payloads or mismatched predicate types. For old-format | bundles and detached signatures, this was due to a logic flaw in the | error handling of the predicate type validation. For new-format | bundles, the predicate type validation was bypassed completely. This | vulnerability is fixed in 3.0.6 and 2.6.3. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-39395 https://www.cve.org/CVERecord?id=CVE-2026-39395 [1] https://github.com/sigstore/cosign/security/advisories/GHSA-w6c6-c85g-mmv6 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
