microsoft · azurelinux-security · Feb 18, 2026 · Feb 19, 2026 · Feb 19, 2026
@@ -0,0 +1,108 @@
+From 60ef2bceba192c5bf9327d003bceea8bf1f8275f Mon Sep 17 00:00:00 2001
+From: Hayden <8418760+Hayden-IO@users.noreply.github.com>
+Date: Wed, 21 Jan 2026 16:52:44 -0800
+Subject: [PATCH] Drop support for fetching public keys by URL in the search
+ index (#2731)
+
+This mitigates blind SSRF. Note that this API was marked as experimental
+so while this is a breaking change to the API, we offered no guarantee
+of stability.
+
+Fixes GHSA-4c4x-jm2x-pf9j
+
+Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>
+
+Upstream Patch reference: https://github.com/sigstore/rekor/commit/60ef2bceba192c5bf9327d003bceea8bf1f8275f.patch
+---
+ .../client/entries/entries_client.go          |  2 +-
+ .../pkg/generated/models/search_index.go      | 20 -------------------
+ .../sigstore/rekor/pkg/util/fetch.go          | 10 +++++++---
+ 3 files changed, 8 insertions(+), 24 deletions(-)
+
+diff --git a/vendor/github.com/sigstore/rekor/pkg/generated/client/entries/entries_client.go b/vendor/github.com/sigstore/rekor/pkg/generated/client/entries/entries_client.go
+index fe2630e..668ec29 100644
+--- a/vendor/github.com/sigstore/rekor/pkg/generated/client/entries/entries_client.go
++++ b/vendor/github.com/sigstore/rekor/pkg/generated/client/entries/entries_client.go
+@@ -58,7 +58,7 @@ type ClientService interface {
+ /*
+ CreateLogEntry creates an entry in the transparency log
+
+-Creates an entry in the transparency log for a detached signature, public key, and content. Items can be included in the request or fetched by the server when URLs are specified.
++Creates an entry in the transparency log for a detached signature, public key, and content.
+ */
+ func (a *Client) CreateLogEntry(params *CreateLogEntryParams, opts ...ClientOption) (*CreateLogEntryCreated, error) {
+ 	// TODO: Validate the params before sending
+diff --git a/vendor/github.com/sigstore/rekor/pkg/generated/models/search_index.go b/vendor/github.com/sigstore/rekor/pkg/generated/models/search_index.go
+index bb1cccc..e731a3b 100644
+--- a/vendor/github.com/sigstore/rekor/pkg/generated/models/search_index.go
++++ b/vendor/github.com/sigstore/rekor/pkg/generated/models/search_index.go
+@@ -229,10 +229,6 @@ type SearchIndexPublicKey struct {
+ 	// Required: true
+ 	// Enum: [pgp x509 minisign ssh tuf]
+ 	Format *string `json:"format"`
+-
+-	// url
+-	// Format: uri
+-	URL strfmt.URI `json:"url,omitempty"`
+ }
+
+ // Validate validates this search index public key
+@@ -243,10 +239,6 @@ func (m *SearchIndexPublicKey) Validate(formats strfmt.Registry) error {
+ 		res = append(res, err)
+ 	}
+
+-	if err := m.validateURL(formats); err != nil {
+-		res = append(res, err)
+-	}
+-
+ 	if len(res) > 0 {
+ 		return errors.CompositeValidationError(res...)
+ 	}
+@@ -305,18 +297,6 @@ func (m *SearchIndexPublicKey) validateFormat(formats strfmt.Registry) error {
+ 	return nil
+ }
+
+-func (m *SearchIndexPublicKey) validateURL(formats strfmt.Registry) error {
+-	if swag.IsZero(m.URL) { // not required
+-		return nil
+-	}
+-
+-	if err := validate.FormatOf("publicKey"+"."+"url", "body", "uri", m.URL.String(), formats); err != nil {
+-		return err
+-	}
+-
+-	return nil
+-}
+-
+ // ContextValidate validates this search index public key based on context it is used
+ func (m *SearchIndexPublicKey) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+ 	return nil
+diff --git a/vendor/github.com/sigstore/rekor/pkg/util/fetch.go b/vendor/github.com/sigstore/rekor/pkg/util/fetch.go
+index 7f8e93f..5c5c464 100644
+--- a/vendor/github.com/sigstore/rekor/pkg/util/fetch.go
++++ b/vendor/github.com/sigstore/rekor/pkg/util/fetch.go
+@@ -21,14 +21,18 @@ import (
+ 	"fmt"
+ 	"io"
+ 	"net/http"
++	"time"
+ )
+
+-// FileOrURLReadCloser Note: caller is responsible for closing ReadCloser returned from method!
++// FileOrURLReadCloser reads content either from a URL or a byte slice
++// Note: Caller is responsible for closing the returned ReadCloser
++// Note: This must never be called from any server codepath to prevent SSRF
+ func FileOrURLReadCloser(ctx context.Context, url string, content []byte) (io.ReadCloser, error) {
+ 	var dataReader io.ReadCloser
+ 	if url != "" {
+-		//TODO: set timeout here, SSL settings?
+-		client := &http.Client{}
++		client := &http.Client{
++			Timeout: 30 * time.Second,
++		}
+ 		req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
+ 		if err != nil {
+ 			return nil, err
+-- 
+2.43.0
+
@@ -1,7 +1,7 @@
 Summary:        Inspect container images and repositories on registries
 Name:           skopeo
 Version:        1.14.4
-Release:        8%{?dist}
+Release:        9%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -16,6 +16,7 @@ Patch4:         CVE-2025-27144.patch
 Patch5:         CVE-2025-58058.patch
 Patch6:         CVE-2025-58183.patch
 Patch7:         CVE-2025-11065.patch
+Patch8:         CVE-2026-24117.patch
 
 %global debug_package %{nil}
 %define our_gopath %{_topdir}/.gopath
@@ -54,6 +55,9 @@ make test-unit-local
 %{_mandir}/man1/%%{name}*
 
 %changelog
+* Wed Feb 18 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.14.4-9
+- Patch for CVE-2026-24117
+
 * Tue Feb 03 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.14.4-8
 - Patch for CVE-2025-11065