SUSE-SU-2023:2210-1 -- SLES rekorID: oval:org.secpod.oval:def:89048849 | Date: (C)2023-06-02 (M)2023-11-10 |
Class: PATCH | Family: unix |
This update for rekor fixes the following issues: Updated to version 1.1.1 : Functional Enhancements \- Refactor Trillian client with exported methods \- Switch to official redis-go client \- Remove replace in go.mod \- Add Rekor OID info. Quality Enhancements \- remove legacy encrypted cosign key \- swap cjson dependency \- Update release readme Security fixes: \- CVE-2023-30551: Fixed a potential denial of service when processing JAR META-INF files or .SIGN/.PKINFO files in APK files . * updated to rekor 1.1.0 : Functional Enhancements * improve validation on intoto v0.0.2 type * add feature to limit HTTP request body length to process * add information about the file size limit * Add script to backfill Redis from Rekor * Feature: add search support for sha512 Quality Enhancements * various fuzzing fixes Bug Fixes * remove goroutine usage from SearchLogQuery * drop log messages regarding attestation storage to debug * fix validation for proposed vs committed log entries for intoto v0.0.1 * fix: fix regex for multi-digit counts * return NotFound if treesize is 0 rather than calling trillian * enumerate slice to get sugared logs * put a reasonable size limit on ssh key reader * CLIENT: Fix Custom Host and Path Issue * do not persist local state if log is empty; fail consistency proofs from 0 size * correctly handle invalid or missing pki format * Add Verifier to get public key/cert and identities for entry type * fix goroutine leak in client; add insecure TLS option * Fix - Remove the force-recreate flag * trim whitespace around public keys before parsing * stop inserting envelope hash for intoto:0.0.2 types into index * Revert "remove double encoding of payload and signature fields for intoto " * remove double encoding of payload and signature fields for intoto * fix SearchLogQuery behavior to conform to openapi spec * Remove pem-certificate-chain from client * fix flag type for operator in search * use sigstore/community dep review
Platform: |
SUSE Linux Enterprise Desktop 15 SP4 |
SUSE Linux Enterprise Server 15 SP4 |