Описание
Security update for rekor
This update for rekor fixes the following issues:
Updated to version 1.1.1 (jsc#SLE-23476):
Functional Enhancements
-
Refactor Trillian client with exported methods (#1454)
-
Switch to official redis-go client (#1459)
-
Remove replace in go.mod (#1444)
-
Add Rekor OID info. (#1390) Quality Enhancements
-
remove legacy encrypted cosign key (#1446)
-
swap cjson dependency (#1441)
-
Update release readme (#1456) Security fixes:
-
CVE-2023-30551: Fixed a potential denial of service when processing JAR META-INF files or .SIGN/.PKINFO files in APK files (bsc#1211210).
-
updated to rekor 1.1.0 (jsc#SLE-23476): Functional Enhancements
- improve validation on intoto v0.0.2 type (#1351)
- add feature to limit HTTP request body length to process (#1334)
- add information about the file size limit (#1313)
- Add script to backfill Redis from Rekor (#1163)
- Feature: add search support for sha512 (#1142) Quality Enhancements
- various fuzzing fixes Bug Fixes
- remove goroutine usage from SearchLogQuery (#1407)
- drop log messages regarding attestation storage to debug (#1408)
- fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309)
- fix: fix regex for multi-digit counts (#1321)
- return NotFound if treesize is 0 rather than calling trillian (#1311)
- enumerate slice to get sugared logs (#1312)
- put a reasonable size limit on ssh key reader (#1288)
- CLIENT: Fix Custom Host and Path Issue (#1306)
- do not persist local state if log is empty; fail consistency proofs from 0 size (#1290)
- correctly handle invalid or missing pki format (#1281)
- Add Verifier to get public key/cert and identities for entry type (#1210)
- fix goroutine leak in client; add insecure TLS option (#1238)
- Fix - Remove the force-recreate flag (#1179)
- trim whitespace around public keys before parsing (#1175)
- stop inserting envelope hash for intoto:0.0.2 types into index (#1171)
- Revert 'remove double encoding of payload and signature fields for intoto (#1150)' (#1158)
- remove double encoding of payload and signature fields for intoto (#1150)
- fix SearchLogQuery behavior to conform to openapi spec (#1145)
- Remove pem-certificate-chain from client (#1138)
- fix flag type for operator in search (#1136)
- use sigstore/community dep review (#1132)
Список пакетов
SUSE Linux Enterprise Module for Basesystem 15 SP4
openSUSE Leap 15.4
Ссылки
- Link for SUSE-SU-2023:2210-1
- E-Mail link for SUSE-SU-2023:2210-1
- SUSE Security Ratings
- SUSE Bug 1211210
- SUSE CVE CVE-2023-30551 page
Описание
Rekor is an open source software supply chain transparency log. Rekor prior to version 1.1.1 may crash due to out of memory (OOM) conditions caused by reading archive metadata files into memory without checking their sizes first. Verification of a JAR file submitted to Rekor can cause an out of memory crash if files within the META-INF directory of the JAR are sufficiently large. Parsing of an APK file submitted to Rekor can cause an out of memory crash if the .SIGN or .PKGINFO files within the APK are sufficiently large. The OOM crash has been patched in Rekor version 1.1.1. There are no known workarounds.
Затронутые продукты
Ссылки
- CVE-2023-30551
- SUSE Bug 1211210