Security update for rekor
| Announcement ID: | SUSE-SU-2024:0460-1 |
|---|---|
| Rating: | important |
| References: | |
| Cross-References: | |
| CVSS scores: |
|
| Affected Products: |
|
An update that solves one vulnerability and contains one feature can now be installed.
Description:
This update for rekor fixes the following issues:
update to 1.3.5 (jsc#SLE-23476):
- Additional unique index correction
- Remove timestamp from checkpoint
- Drop conditional when verifying entry checkpoint
- Fix panic for DSSE canonicalization
- Change Redis value for locking mechanism
- give log timestamps nanosecond precision
-
output trace in slog and override correlation header name
-
bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207)
Updated to 1.3.4:
- add mysql indexstorage backend
- add s3 storage for attestations
- fix: Do not check for pubsub.topics.get on initialization
- fix optional field in cose schema
- Update ranges.go
- update indexstorage interface to reduce roundtrips
- use a single validator library in rekor-cli
- Remove go-playground/validator dependency from pkg/pki
Updated to rekor 1.3.3 (jsc#SLE-23476):
- Update signer flag description
- update trillian to 1.5.3
- adds redis_auth
- Add method to get artifact hash for an entry
- make e2e tests more usable with docker-compose
- install go at correct version for codeql
Updated to rekor 1.3.2 (jsc#SLE-23476):
Updated to rekor 1.3.1 (jsc#SLE-23476):
New Features:
- enable GCP cloud profiling on rekor-server (#1746)
- move index storage into interface (#1741)
- add info to readme to denote additional documentation sources (#1722)
- Add type of ed25519 key for TUF (#1677)
- Allow parsing base64-encoded TUF metadata and root content (#1671)
Quality Enhancements:
- disable quota in trillian in test harness (#1680)
Bug Fixes:
- Update contact for code of conduct (#1720)
- Fix panic when parsing SSH SK pubkeys (#1712)
- Correct index creation (#1708)
- docs: fixzes a small typo on the readme (#1686)
- chore: fix backfill-redis Makefile target (#1685)
Updated to rekor 1.3.0 (jsc#SLE-23476):
- Update openapi.yaml (#1655)
- pass transient errors through retrieveLogEntry (#1653)
- return full entryID on HTTP 409 responses (#1650)
- feat: Support publishing new log entries to Pub/Sub topics (#1580)
- Change values of Identity.Raw, add fingerprints (#1628)
- Extract all subjects from SANs for x509 verifier (#1632)
- Fix type comment for Identity struct (#1619)
- Refactor Identities API (#1611)
- Refactor Verifiers to return multiple keys (#1601)
- Update checkpoint link (#1597)
- Use correct log index in inclusion proof (#1599)
- remove instrumentation library (#1595)
Updated to rekor 1.2.2 (jsc#SLE-23476):
- pass down error with message instead of nil
-
swap killswitch for 'docker-compose restart'
-
CVE-2023-48795: Fixed Terrapin attack in embedded golang.org/x/crypto/ssh (bsc#1218207).
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
openSUSE Leap 15.4
zypper in -t patch SUSE-2024-460=1 -
openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-460=1 -
Basesystem Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2024-460=1
Package List:
-
openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
- rekor-1.3.5-150400.4.19.1
- rekor-debuginfo-1.3.5-150400.4.19.1
-
openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
- rekor-1.3.5-150400.4.19.1
-
Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64)
- rekor-1.3.5-150400.4.19.1