Описание
Security update for rekor
This update for rekor fixes the following issues:
-
updated to rekor 1.2.1 (jsc#SLE-23476):
-
CVE-2023-33199: Fixed that malformed proposed intoto v0.0.2 entries can cause a panic (bsc#1211790).
Список пакетов
SUSE Linux Enterprise Module for Basesystem 15 SP4
rekor-1.2.1-150400.4.12.1
SUSE Linux Enterprise Module for Basesystem 15 SP5
rekor-1.2.1-150400.4.12.1
openSUSE Leap 15.4
rekor-1.2.1-150400.4.12.1
openSUSE Leap 15.5
rekor-1.2.1-150400.4.12.1
Ссылки
- Link for SUSE-SU-2023:2515-1
- E-Mail link for SUSE-SU-2023:2515-1
- SUSE Security Ratings
- SUSE Bug 1211790
- SUSE CVE CVE-2023-33199 page
Описание
Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. A malformed proposed entry of the `intoto/v0.0.2` type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This has been fixed in v1.2.0 of Rekor. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Затронутые продукты
SUSE Linux Enterprise Module for Basesystem 15 SP4:rekor-1.2.1-150400.4.12.1
SUSE Linux Enterprise Module for Basesystem 15 SP5:rekor-1.2.1-150400.4.12.1
openSUSE Leap 15.4:rekor-1.2.1-150400.4.12.1
openSUSE Leap 15.5:rekor-1.2.1-150400.4.12.1
Ссылки
- CVE-2023-33199
- SUSE Bug 1211790