Bugzilla – Bug 1218207
VUL-0: CVE-2023-48795: cosign: golang.org/x/crypto/ssh: prefix truncation breaking ssh channel integrity
Last modified: 2024-02-13 16:30:08 UTC
SUSE:SLE-15-SP4:Update/cosign uses a a vulnerable version of crypto/ssh package
This is an autogenerated message for OBS integration: This bug (1218207) was mentioned in https://build.opensuse.org/request/show/1143630 Factory / cosign
This is an autogenerated message for OBS integration: This bug (1218207) was mentioned in https://build.opensuse.org/request/show/1144326 Factory / rekor
SUSE-SU-2024:0430-1: An update that solves one vulnerability and contains one feature can now be installed. Category: security (moderate) Bug References: 1218207 CVE References: CVE-2023-48795 Jira References: SLE-23879 Sources used: Basesystem Module 15-SP5 (src): cosign-2.2.3-150400.3.17.1 openSUSE Leap 15.4 (src): cosign-2.2.3-150400.3.17.1 openSUSE Leap 15.5 (src): cosign-2.2.3-150400.3.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
fixed
SUSE-SU-2024:0460-1: An update that solves one vulnerability and contains one feature can now be installed. Category: security (important) Bug References: 1218207 CVE References: CVE-2023-48795 Jira References: SLE-23476 Sources used: openSUSE Leap 15.4 (src): rekor-1.3.5-150400.4.19.1 openSUSE Leap 15.5 (src): rekor-1.3.5-150400.4.19.1 Basesystem Module 15-SP5 (src): rekor-1.3.5-150400.4.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.