SUSE-SU-2023:2210-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2023/suse-su-20232210-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2023:2210-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/SUSE-SU-2023:2210-1
Related
Published
2023-05-16T08:45:59Z
Modified
2023-05-16T08:45:59Z
Summary
Security update for rekor
Details

This update for rekor fixes the following issues:

Updated to version 1.1.1 (jsc#SLE-23476):

Functional Enhancements - Refactor Trillian client with exported methods (#1454) - Switch to official redis-go client (#1459) - Remove replace in go.mod (#1444) - Add Rekor OID info. (#1390) Quality Enhancements - remove legacy encrypted cosign key (#1446) - swap cjson dependency (#1441) - Update release readme (#1456) Security fixes: - CVE-2023-30551: Fixed a potential denial of service when processing JAR META-INF files or .SIGN/.PKINFO files in APK files (bsc#1211210).

  • updated to rekor 1.1.0 (jsc#SLE-23476): Functional Enhancements
    • improve validation on intoto v0.0.2 type (#1351)
    • add feature to limit HTTP request body length to process (#1334)
    • add information about the file size limit (#1313)
    • Add script to backfill Redis from Rekor (#1163)
    • Feature: add search support for sha512 (#1142) Quality Enhancements
    • various fuzzing fixes Bug Fixes
    • remove goroutine usage from SearchLogQuery (#1407)
    • drop log messages regarding attestation storage to debug (#1408)
    • fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309)
    • fix: fix regex for multi-digit counts (#1321)
    • return NotFound if treesize is 0 rather than calling trillian (#1311)
    • enumerate slice to get sugared logs (#1312)
    • put a reasonable size limit on ssh key reader (#1288)
    • CLIENT: Fix Custom Host and Path Issue (#1306)
    • do not persist local state if log is empty; fail consistency proofs from 0 size (#1290)
    • correctly handle invalid or missing pki format (#1281)
    • Add Verifier to get public key/cert and identities for entry type (#1210)
    • fix goroutine leak in client; add insecure TLS option (#1238)
    • Fix - Remove the force-recreate flag (#1179)
    • trim whitespace around public keys before parsing (#1175)
    • stop inserting envelope hash for intoto:0.0.2 types into index (#1171)
    • Revert 'remove double encoding of payload and signature fields for intoto (#1150)' (#1158)
    • remove double encoding of payload and signature fields for intoto (#1150)
    • fix SearchLogQuery behavior to conform to openapi spec (#1145)
    • Remove pem-certificate-chain from client (#1138)
    • fix flag type for operator in search (#1136)
    • use sigstore/community dep review (#1132)
References

Affected packages

SUSE:Linux Enterprise Module for Basesystem 15 SP4 / rekor

Package

Name
rekor
Purl
pkg:rpm/suse/rekor&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.1-150400.4.9.1

Ecosystem specific 

{
    "binaries": [
        {
            "rekor": "1.1.1-150400.4.9.1"
        }
    ]
}

openSUSE:Leap 15.4 / rekor

Package

Name
rekor
Purl
pkg:rpm/opensuse/rekor&distro=openSUSE%20Leap%2015.4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.1-150400.4.9.1

Ecosystem specific 

{
    "binaries": [
        {
            "rekor": "1.1.1-150400.4.9.1"
        }
    ]
}