Overview

File _patchinfo of Package patchinfo.32492

<patchinfo incident="32492">
  <issue tracker="jsc" id="SLE-23476"/>
  <issue tracker="cve" id="2023-48795"/>
  <issue tracker="bnc" id="1218207">VUL-0: CVE-2023-48795: cosign: golang.org/x/crypto/ssh: prefix truncation breaking ssh channel integrity</issue>
  <packager>msmeissn</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for rekor</summary>
  <description>This update for rekor fixes the following issues:

update to 1.3.5 (jsc#SLE-23476):

  - Additional unique index correction
  - Remove timestamp from checkpoint
  - Drop conditional when verifying entry checkpoint
  - Fix panic for DSSE canonicalization
  - Change Redis value for locking mechanism
  - give log timestamps nanosecond precision
  - output trace in slog and override correlation header name

- bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207)

Updated to 1.3.4:

  * add mysql indexstorage backend
  * add s3 storage for attestations
  * fix: Do not check for pubsub.topics.get on initialization
  * fix optional field in cose schema
  * Update ranges.go
  * update indexstorage interface to reduce roundtrips
  * use a single validator library in rekor-cli
  * Remove go-playground/validator dependency from pkg/pki

Updated to rekor 1.3.3 (jsc#SLE-23476):

  - Update signer flag description
  - update trillian to 1.5.3
  - adds redis_auth
  - Add method to get artifact hash for an entry
  - make e2e tests more usable with docker-compose
  - install go at correct version for codeql

Updated to rekor 1.3.2 (jsc#SLE-23476):


Updated to rekor 1.3.1 (jsc#SLE-23476):

New Features:

  - enable GCP cloud profiling on rekor-server (#1746)
  - move index storage into interface (#1741)
  - add info to readme to denote additional documentation sources (#1722)
  - Add type of ed25519 key for TUF (#1677)
  - Allow parsing base64-encoded TUF metadata and root content (#1671)

  Quality Enhancements:

  - disable quota in trillian in test harness (#1680)

  Bug Fixes:

  - Update contact for code of conduct (#1720)
  - Fix panic when parsing SSH SK pubkeys (#1712)
  - Correct index creation (#1708)
  - docs: fixzes a small typo on the readme (#1686)
  - chore: fix backfill-redis Makefile target (#1685)

Updated to rekor 1.3.0 (jsc#SLE-23476):

  - Update openapi.yaml (#1655)
  - pass transient errors through retrieveLogEntry (#1653)
  - return full entryID on HTTP 409 responses (#1650)
  - feat: Support publishing new log entries to Pub/Sub topics (#1580)
  - Change values of Identity.Raw, add fingerprints (#1628)
  - Extract all subjects from SANs for x509 verifier (#1632)
  - Fix type comment for Identity struct (#1619)
  - Refactor Identities API (#1611)
  - Refactor Verifiers to return multiple keys (#1601)
  - Update checkpoint link (#1597)
  - Use correct log index in inclusion proof (#1599)
  - remove instrumentation library (#1595)

Updated to rekor 1.2.2 (jsc#SLE-23476):

  - pass down error with message instead of nil
  - swap killswitch for 'docker-compose restart'

- CVE-2023-48795: Fixed Terrapin attack in embedded golang.org/x/crypto/ssh (bsc#1218207).
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places