Bug 1218207

Summary: VUL-0: CVE-2023-48795: cosign: golang.org/x/crypto/ssh: prefix truncation breaking ssh channel integrity
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P3 - Medium    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/387549/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1218150    

Comment 1 Thomas Leroy 2023-12-19 13:21:45 UTC 
SUSE:SLE-15-SP4:Update/cosign uses a a vulnerable version of crypto/ssh package
Comment 2 OBSbugzilla Bot 2024-02-02 13:35:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1218207) was mentioned in
https://build.opensuse.org/request/show/1143630 Factory / cosign
Comment 3 OBSbugzilla Bot 2024-02-05 15:35:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1218207) was mentioned in
https://build.opensuse.org/request/show/1144326 Factory / rekor
Comment 5 Maintenance Automation 2024-02-08 16:30:22 UTC 
SUSE-SU-2024:0430-1: An update that solves one vulnerability and contains one feature can now be installed.

Category: security (moderate)
Bug References: 1218207
CVE References: CVE-2023-48795
Jira References: SLE-23879
Sources used:
Basesystem Module 15-SP5 (src): cosign-2.2.3-150400.3.17.1
openSUSE Leap 15.4 (src): cosign-2.2.3-150400.3.17.1
openSUSE Leap 15.5 (src): cosign-2.2.3-150400.3.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Marcus Meissner 2024-02-08 16:38:58 UTC 
fixed
Comment 7 Maintenance Automation 2024-02-13 16:30:08 UTC 
SUSE-SU-2024:0460-1: An update that solves one vulnerability and contains one feature can now be installed.

Category: security (important)
Bug References: 1218207
CVE References: CVE-2023-48795
Jira References: SLE-23476
Sources used:
openSUSE Leap 15.4 (src): rekor-1.3.5-150400.4.19.1
openSUSE Leap 15.5 (src): rekor-1.3.5-150400.4.19.1
Basesystem Module 15-SP5 (src): rekor-1.3.5-150400.4.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.