File _patchinfo of Package patchinfo.28979

<patchinfo incident="28979">
  <issue tracker="jsc" id="SLE-23476"/>
  <issue tracker="cve" id="2023-30551"/>
  <issue tracker="bnc" id="1211210">VUL-0: CVE-2023-30551: rekor: out of memory crash caused by reading archive metadata files without checking sizes</issue>
  <packager>msmeissn</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for rekor</summary>
  <description>This update for rekor fixes the following issues:

Updated to version 1.1.1 (jsc#SLE-23476):

  Functional Enhancements
  - Refactor Trillian client with exported methods (#1454)
  - Switch to official redis-go client (#1459)
  - Remove replace in go.mod (#1444)
  - Add Rekor OID info. (#1390)
  Quality Enhancements
  - remove legacy encrypted cosign key (#1446)
  - swap cjson dependency (#1441)
  - Update release readme (#1456)
  Security fixes:
  - CVE-2023-30551: Fixed a potential denial of service when processing 
    JAR META-INF files or .SIGN/.PKINFO files in APK files (bsc#1211210).

- updated to rekor 1.1.0 (jsc#SLE-23476):
  Functional Enhancements
  - improve validation on intoto v0.0.2 type (#1351)
  - add feature to limit HTTP request body length to process (#1334)
  - add information about the file size limit (#1313)
  - Add script to backfill Redis from Rekor (#1163)
  - Feature: add search support for sha512 (#1142)
  Quality Enhancements
  - various fuzzing fixes
  Bug Fixes
  - remove goroutine usage from SearchLogQuery (#1407)
  - drop log messages regarding attestation storage to debug (#1408)
  - fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309)
  - fix: fix regex for multi-digit counts (#1321)
  - return NotFound if treesize is 0 rather than calling trillian (#1311)
  - enumerate slice to get sugared logs (#1312)
  - put a reasonable size limit on ssh key reader (#1288)
  - CLIENT: Fix Custom Host and Path Issue (#1306)
  - do not persist local state if log is empty; fail consistency proofs from 0 size (#1290)
  - correctly handle invalid or missing pki format (#1281)
  - Add Verifier to get public key/cert and identities for entry type (#1210)
  - fix goroutine leak in client; add insecure TLS option (#1238)
  - Fix - Remove the force-recreate flag (#1179)
  - trim whitespace around public keys before parsing (#1175)
  - stop inserting envelope hash for intoto:0.0.2 types into index (#1171)
  - Revert "remove double encoding of payload and signature fields for intoto (#1150)" (#1158)
  - remove double encoding of payload and signature fields for intoto (#1150)
  - fix SearchLogQuery behavior to conform to openapi spec (#1145)
  - Remove pem-certificate-chain from client (#1138)
  - fix flag type for operator in search (#1136)
  - use sigstore/community dep review (#1132)
</description>
</patchinfo>