SUSE-SU-2024:0460-1

Source
https://www.suse.com/support/update/announcement/2024/suse-su-20240460-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2024:0460-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2024:0460-1
Related
Published
2024-02-13T14:29:55Z
Modified
2024-02-13T14:29:55Z
Summary
Security update for rekor
Details

This update for rekor fixes the following issues:

update to 1.3.5 (jsc#SLE-23476):

  • Additional unique index correction
  • Remove timestamp from checkpoint
  • Drop conditional when verifying entry checkpoint
  • Fix panic for DSSE canonicalization
  • Change Redis value for locking mechanism
  • give log timestamps nanosecond precision
  • output trace in slog and override correlation header name

    • bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207)

Updated to 1.3.4:

  • add mysql indexstorage backend
  • add s3 storage for attestations
  • fix: Do not check for pubsub.topics.get on initialization
  • fix optional field in cose schema
  • Update ranges.go
  • update indexstorage interface to reduce roundtrips
  • use a single validator library in rekor-cli
  • Remove go-playground/validator dependency from pkg/pki

Updated to rekor 1.3.3 (jsc#SLE-23476):

  • Update signer flag description
  • update trillian to 1.5.3
  • adds redis_auth
  • Add method to get artifact hash for an entry
  • make e2e tests more usable with docker-compose
  • install go at correct version for codeql

Updated to rekor 1.3.2 (jsc#SLE-23476):

Updated to rekor 1.3.1 (jsc#SLE-23476):

New Features:

  • enable GCP cloud profiling on rekor-server (#1746)
  • move index storage into interface (#1741)
  • add info to readme to denote additional documentation sources (#1722)
  • Add type of ed25519 key for TUF (#1677)
  • Allow parsing base64-encoded TUF metadata and root content (#1671)

    Quality Enhancements:

  • disable quota in trillian in test harness (#1680)

    Bug Fixes:

  • Update contact for code of conduct (#1720)

  • Fix panic when parsing SSH SK pubkeys (#1712)
  • Correct index creation (#1708)
  • docs: fixzes a small typo on the readme (#1686)
  • chore: fix backfill-redis Makefile target (#1685)

Updated to rekor 1.3.0 (jsc#SLE-23476):

  • Update openapi.yaml (#1655)
  • pass transient errors through retrieveLogEntry (#1653)
  • return full entryID on HTTP 409 responses (#1650)
  • feat: Support publishing new log entries to Pub/Sub topics (#1580)
  • Change values of Identity.Raw, add fingerprints (#1628)
  • Extract all subjects from SANs for x509 verifier (#1632)
  • Fix type comment for Identity struct (#1619)
  • Refactor Identities API (#1611)
  • Refactor Verifiers to return multiple keys (#1601)
  • Update checkpoint link (#1597)
  • Use correct log index in inclusion proof (#1599)
  • remove instrumentation library (#1595)

Updated to rekor 1.2.2 (jsc#SLE-23476):

  • pass down error with message instead of nil
  • swap killswitch for 'docker-compose restart'

    • CVE-2023-48795: Fixed Terrapin attack in embedded golang.org/x/crypto/ssh (bsc#1218207).
References

Affected packages

SUSE:Linux Enterprise Module for Basesystem 15 SP5 / rekor

Package

Name
rekor
Purl
purl:rpm/suse/rekor&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3.5-150400.4.19.1

Ecosystem specific

{
    "binaries": [
        {
            "rekor": "1.3.5-150400.4.19.1"
        }
    ]
}

openSUSE:Leap 15.5 / rekor

Package

Name
rekor
Purl
purl:rpm/suse/rekor&distro=openSUSE%20Leap%2015.5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3.5-150400.4.19.1

Ecosystem specific

{
    "binaries": [
        {
            "rekor": "1.3.5-150400.4.19.1"
        }
    ]
}