1. Home
  2. Security Advisories
  3. SUSE
  4. SUSE-SU-2024:0460-1

[SUSE-SU-2024:0460-1] Security update for rekor

Severity Important
Affected Packages 4
CVEs 1
Info Packages References Vulnerabilities

Security update for rekor

This update for rekor fixes the following issues:

update to 1.3.5 (jsc#SLE-23476):

  • Additional unique index correction
  • Remove timestamp from checkpoint
  • Drop conditional when verifying entry checkpoint
  • Fix panic for DSSE canonicalization
  • Change Redis value for locking mechanism
  • give log timestamps nanosecond precision

  • output trace in slog and override correlation header name

  • bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207)

Updated to 1.3.4:

  • add mysql indexstorage backend
  • add s3 storage for attestations
  • fix: Do not check for pubsub.topics.get on initialization
  • fix optional field in cose schema
  • Update ranges.go
  • update indexstorage interface to reduce roundtrips
  • use a single validator library in rekor-cli
  • Remove go-playground/validator dependency from pkg/pki

Updated to rekor 1.3.3 (jsc#SLE-23476):

  • Update signer flag description
  • update trillian to 1.5.3
  • adds redis_auth
  • Add method to get artifact hash for an entry
  • make e2e tests more usable with docker-compose
  • install go at correct version for codeql

Updated to rekor 1.3.2 (jsc#SLE-23476):

Updated to rekor 1.3.1 (jsc#SLE-23476):

New Features:

  • enable GCP cloud profiling on rekor-server (#1746)
  • move index storage into interface (#1741)
  • add info to readme to denote additional documentation sources (#1722)
  • Add type of ed25519 key for TUF (#1677)

  • Allow parsing base64-encoded TUF metadata and root content (#1671)

    Quality Enhancements:

  • disable quota in trillian in test harness (#1680)

    Bug Fixes:

  • Update contact for code of conduct (#1720)

  • Fix panic when parsing SSH SK pubkeys (#1712)

  • Correct index creation (#1708)

  • docs: fixzes a small typo on the readme (#1686)

  • chore: fix backfill-redis Makefile target (#1685)

Updated to rekor 1.3.0 (jsc#SLE-23476):

  • Update openapi.yaml (#1655)
  • pass transient errors through retrieveLogEntry (#1653)
  • return full entryID on HTTP 409 responses (#1650)
  • feat: Support publishing new log entries to Pub/Sub topics (#1580)
  • Change values of Identity.Raw, add fingerprints (#1628)
  • Extract all subjects from SANs for x509 verifier (#1632)
  • Fix type comment for Identity struct (#1619)
  • Refactor Identities API (#1611)
  • Refactor Verifiers to return multiple keys (#1601)
  • Update checkpoint link (#1597)
  • Use correct log index in inclusion proof (#1599)
  • remove instrumentation library (#1595)

Updated to rekor 1.2.2 (jsc#SLE-23476):

  • pass down error with message instead of nil

  • swap killswitch for 'docker-compose restart'

  • CVE-2023-48795: Fixed Terrapin attack in embedded golang.org/x/crypto/ssh (bsc#1218207).

Package Affected Version
pkg:rpm/suse/rekor?arch=x86_64&distro=opensuse-leap-15.5 < 1.3.5-150400.4.19.1
pkg:rpm/suse/rekor?arch=s390x&distro=opensuse-leap-15.5 < 1.3.5-150400.4.19.1
pkg:rpm/suse/rekor?arch=ppc64le&distro=opensuse-leap-15.5 < 1.3.5-150400.4.19.1
pkg:rpm/suse/rekor?arch=aarch64&distro=opensuse-leap-15.5 < 1.3.5-150400.4.19.1
ID
SUSE-SU-2024:0460-1
Severity
important
URL
https://www.suse.com/support/update/announcement/2024/suse-su-20240460-1/
Published
2024-02-13T14:29:55
(7 months ago)
Modified
2024-02-13T14:29:55
(7 months ago)
Rights
Copyright 2024 SUSE LLC. All rights reserved.
Other Advisories
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:rpm/suse/rekor?arch=x86_64&distro=opensuse-leap-15.5 suse rekor < 1.3.5-150400.4.19.1 opensuse-leap-15.5 x86_64
Affected pkg:rpm/suse/rekor?arch=s390x&distro=opensuse-leap-15.5 suse rekor < 1.3.5-150400.4.19.1 opensuse-leap-15.5 s390x
Affected pkg:rpm/suse/rekor?arch=ppc64le&distro=opensuse-leap-15.5 suse rekor < 1.3.5-150400.4.19.1 opensuse-leap-15.5 ppc64le
Affected pkg:rpm/suse/rekor?arch=aarch64&distro=opensuse-leap-15.5 suse rekor < 1.3.5-150400.4.19.1 opensuse-leap-15.5 aarch64
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date