Overview

File _patchinfo of Package patchinfo.38331

<patchinfo incident="38331">
  <issue tracker="bnc" id="1227053">VUL-0: CVE-2024-6104: rekor: hashicorp/go-retryablehttp: url might write sensitive information to log file</issue>
  <issue tracker="bnc" id="1236519">VUL-0: CVE-2023-45288: rekor: golang.org/x/net/http2: close connections when receiving too many headers</issue>
  <issue tracker="bnc" id="1237638">VUL-0: CVE-2025-27144: rekor: gopkg.in/go-jose/go-jose.v2,github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3: Go JOSE's Parsing Vulnerable to Denial of Service</issue>
  <issue tracker="bnc" id="1239191">VUL-0: CVE-2025-22868: rekor: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2</issue>
  <issue tracker="bnc" id="1239327">VUL-0: CVE-2025-22869: rekor: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh</issue>
  <issue tracker="bnc" id="1240468">VUL-0: CVE-2025-30204: rekor: github.com/golang-jwt/jwt/v5: jwt-go allows excessive memory allocation during header parsing</issue>
  <issue tracker="cve" id="2023-45288"/>
  <issue tracker="cve" id="2024-6104"/>
  <issue tracker="cve" id="2025-22868"/>
  <issue tracker="cve" id="2025-22869"/>
  <issue tracker="cve" id="2025-27144"/>
  <issue tracker="cve" id="2025-30204"/>
  <issue tracker="jsc" id="SLE-23476"/>
  <packager>msmeissn</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for rekor</summary>
  <description>This update for rekor fixes the following issues:

- CVE-2023-45288: rekor: golang.org/x/net/http2: Fixed close connections when receiving too many headers (bsc#1236519)
- CVE-2024-6104: rekor: hashicorp/go-retryablehttp: Fixed sensitive information disclosure inside log file (bsc#1227053)
- CVE-2025-22868: rekor: golang.org/x/oauth2/jws: Fixed unexpected memory consumption during token parsing (bsc#1239191)
- CVE-2025-22869: rekor: golang.org/x/crypto/ssh: Fixed denial of service in the Key Exchange (bsc#1239327)
- CVE-2025-27144: rekor: gopkg.in/go-jose/go-jose.v2,github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3: Fixed denial of service in Go JOSE's parsing (bsc#1237638)
- CVE-2025-30204: rekor: github.com/golang-jwt/jwt/v5: Fixed jwt-go allowing excessive memory allocation during header parsing (bsc#1240468)

Other fixes:

- Update to version 1.3.10:
  * Features
    - Added --client-signing-algorithms flag (#1974)
  * Fixes / Misc
    - emit unpopulated values when marshalling (#2438)
    - pkg/api: better logs when algorithm registry rejects a key
      (#2429)
    - chore: improve mysql readiness checks (#2397)
    - Added --client-signing-algorithms flag (#1974)

- Update to version 1.3.9 (jsc#SLE-23476):
  * Cache checkpoint for inactive shards (#2332)
  * Support per-shard signing keys (#2330)

- Update to version 1.3.8:
  * Bug Fixes
    - fix zizmor issues (#2298)
    - remove unneeded value in log message (#2282)
  * Quality Enhancements
    - chore: relax go directive to permit 1.22.x
    - fetch minisign from homebrew instead of custom ppa (#2329)
    - fix(ci): simplify GOVERSION extraction
    - chore(deps): bump actions pins to latest
    - Updates go and golangci-lint (#2302)
    - update builder to use go1.23.4 (#2301)
    - clean up spaces
    - log request body on 500 error to aid debugging (#2283)

- Update to version 1.3.7:
  * New Features
    - log request body on 500 error to aid debugging (#2283)
    - Add support for signing with Tink keyset (#2228)
    - Add public key hash check in Signed Note verification (#2214)
    - update Trillian TLS configuration (#2202)
    - Add TLS support for Trillian server (#2164)
    - Replace docker-compose with plugin if available (#2153)
    - Add flags to backfill script (#2146)
    - Unset DisableKeepalive for backfill HTTP client (#2137)
    - Add script to delete indexes from Redis (#2120)
    - Run CREATE statement in backfill script (#2109)
    - Add MySQL support to backfill script (#2081)
    - Run e2e tests on mysql and redis index backends (#2079)
  * Bug Fixes
    - remove unneeded value in log message (#2282)
    - Add error message when computing consistency proof (#2278)
    - fix validation error handling on API (#2217)
    - fix error in pretty-printed inclusion proof from verify
      subcommand (#2210)
    - Fix index scripts (#2203)
    - fix failing sharding test
    - Better error handling in backfill script (#2148)
    - Batch entries in cleanup script (#2158)
    - Add missing workflow for index cleanup test (#2121)
    - hashedrekord: fix schema $id (#2092)
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places