cosign-3.0.4-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:10232-1 Final 1 1 2026-02-20T00:00:00Z current 2026-02-20T00:00:00Z 2026-02-20T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z cosign-3.0.4-2.1 on GA media These are all security issues fixed in the cosign-3.0.4-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2026-10232 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-11065/ SUSE CVE CVE-2025-11065 page https://www.suse.com/security/cve/CVE-2025-58181/ SUSE CVE CVE-2025-58181 page https://www.suse.com/security/cve/CVE-2026-22703/ SUSE CVE CVE-2026-22703 page openSUSE Tumbleweed cosign-3.0.4-2.1 cosign-bash-completion-3.0.4-2.1 cosign-fish-completion-3.0.4-2.1 cosign-zsh-completion-3.0.4-2.1 cosign-3.0.4-2.1 as a component of openSUSE Tumbleweed cosign-bash-completion-3.0.4-2.1 as a component of openSUSE Tumbleweed cosign-fish-completion-3.0.4-2.1 as a component of openSUSE Tumbleweed cosign-zsh-completion-3.0.4-2.1 as a component of openSUSE Tumbleweed A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts. CVE-2025-11065 openSUSE Tumbleweed:cosign-3.0.4-2.1 openSUSE Tumbleweed:cosign-bash-completion-3.0.4-2.1 openSUSE Tumbleweed:cosign-fish-completion-3.0.4-2.1 openSUSE Tumbleweed:cosign-zsh-completion-3.0.4-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-11065.html CVE-2025-11065 https://bugzilla.suse.com/1250608 SUSE Bug 1250608 SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. CVE-2025-58181 openSUSE Tumbleweed:cosign-3.0.4-2.1 openSUSE Tumbleweed:cosign-bash-completion-3.0.4-2.1 openSUSE Tumbleweed:cosign-fish-completion-3.0.4-2.1 openSUSE Tumbleweed:cosign-zsh-completion-3.0.4-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-58181.html CVE-2025-58181 https://bugzilla.suse.com/1253784 SUSE Bug 1253784 Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor entry, Cosign verifies the Rekor entry signature, and also compares the artifact's digest, the user's public key from either a Fulcio certificate or provided by the user, and the artifact signature to the Rekor entry contents. Without these comparisons, Cosign would accept any response from Rekor as valid. A malicious actor that has compromised a user's identity or signing key could construct a valid Cosign bundle by including any arbitrary Rekor entry, thus preventing the user from being able to audit the signing event. This issue has been patched in versions 2.6.2 and 3.0.4. CVE-2026-22703 openSUSE Tumbleweed:cosign-3.0.4-2.1 openSUSE Tumbleweed:cosign-bash-completion-3.0.4-2.1 openSUSE Tumbleweed:cosign-fish-completion-3.0.4-2.1 openSUSE Tumbleweed:cosign-zsh-completion-3.0.4-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2026-22703.html CVE-2026-22703 https://bugzilla.suse.com/1256496 SUSE Bug 1256496