Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When will the next cosign version be released? Current version has open CVEs #35

Open
candrews opened this issue Oct 2, 2024 · 1 comment
Open

When will the next cosign version be released? Current version has open CVEs #35

candrews opened this issue Oct 2, 2024 · 1 comment
Labels
question Further information is requested

Comments

@candrews
Copy link

candrews commented Oct 2, 2024
edited
Loading

Question

When is the next release of cosign scheduled?

I ask as the current version, 2.4.0, has open CVEs:

$ docker run -it aquasec/trivy image gcr.io/projectsigstore/cosign:v2.4.0 --quiet

gcr.io/projectsigstore/cosign:v2.4.0 (debian 12.6)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


ko-app/cosign (gobinary)

Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 3, HIGH: 2, CRITICAL: 1)

┌─────────────────────────────────────────┬────────────────┬──────────┬────────┬──────────────────────┬─────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│                 Library                 │ Vulnerability  │ Severity │ Status │  Installed Version   │          Fixed Version          │                            Title                            │
├─────────────────────────────────────────┼────────────────┼──────────┼────────┼──────────────────────┼─────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/docker/docker                │ CVE-2024-41110 │ CRITICAL │ fixed  │ v26.1.4+incompatible │ 23.0.15, 26.1.5, 27.1.1, 25.0.6 │ moby: Authz zero length regression                          │
│                                         │                │          │        │                      │                                 │ https://avd.aquasec.com/nvd/cve-2024-41110                  │
├─────────────────────────────────────────┼────────────────┼──────────┤        ├──────────────────────┼─────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/open-policy-agent/opa        │ CVE-2024-8260  │ MEDIUM   │        │ v0.67.0              │ 0.68.0                          │ opa: OPA SMB Force-Authentication                           │
│                                         │                │          │        │                      │                                 │ https://avd.aquasec.com/nvd/cve-2024-8260                   │
├─────────────────────────────────────────┼────────────────┼──────────┤        ├──────────────────────┼─────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/sigstore/sigstore-go         │ CVE-2024-45395 │ LOW      │        │ v0.5.1               │ 0.6.1                           │ sigstore-go has an unbounded loop over untrusted input can  │
│                                         │                │          │        │                      │                                 │ lead to endless...                                          │
│                                         │                │          │        │                      │                                 │ https://avd.aquasec.com/nvd/cve-2024-45395                  │
├─────────────────────────────────────────┼────────────────┼──────────┤        ├──────────────────────┼─────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/theupdateframework/go-tuf/v2 │ CVE-2024-47534 │ HIGH     │        │ v2.0.0               │ 2.0.1                           │ go-tuf: Incorrect delegation lookups can make go-tuf        │
│                                         │                │          │        │                      │                                 │ download the wrong artifact                                 │
│                                         │                │          │        │                      │                                 │ https://avd.aquasec.com/nvd/cve-2024-47534                  │
├─────────────────────────────────────────┼────────────────┤          │        ├──────────────────────┼─────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib                                  │ CVE-2024-34156 │          │        │ 1.22.5               │ 1.22.7, 1.23.1                  │ encoding/gob: golang: Calling Decoder.Decode on a message   │
│                                         │                │          │        │                      │                                 │ which contains deeply nested structures...                  │
│                                         │                │          │        │                      │                                 │ https://avd.aquasec.com/nvd/cve-2024-34156                  │
│                                         ├────────────────┼──────────┤        │                      │                                 ├─────────────────────────────────────────────────────────────┤
│                                         │ CVE-2024-34155 │ MEDIUM   │        │                      │                                 │ go/parser: golang: Calling any of the Parse functions       │
│                                         │                │          │        │                      │                                 │ containing deeply nested literals...                        │
│                                         │                │          │        │                      │                                 │ https://avd.aquasec.com/nvd/cve-2024-34155                  │
│                                         ├────────────────┤          │        │                      │                                 ├─────────────────────────────────────────────────────────────┤
│                                         │ CVE-2024-34158 │          │        │                      │                                 │ go/build/constraint: golang: Calling Parse on a "// +build" │
│                                         │                │          │        │                      │                                 │ build tag line with...                                      │
│                                         │                │          │        │                      │                                 │ https://avd.aquasec.com/nvd/cve-2024-34158                  │
└─────────────────────────────────────────┴────────────────┴──────────┴────────┴──────────────────────┴─────────────────────────────────┴─────────────────────────────────────────────────────────────┘
@candrews candrews added the question Further information is requested label Oct 2, 2024
@candrews
Copy link
Author

candrews commented Oct 2, 2024
edited
Loading

From Slack:
image

🥳 thank you @bobcallaway

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@candrews