SUSE alert SUSE-SU-2023:2210-1 (rekor)
| From: | sle-security-updates@lists.suse.com | |
| To: | sle-security-updates@lists.suse.com | |
| Subject: | SUSE-SU-2023:2210-1: important: Security update for rekor | |
| Date: | Tue, 16 May 2023 12:30:26 -0000 | |
| Message-ID: | <168424022648.25528.11079090925657102937@smelt2.suse.de> |
# Security update for rekor Announcement ID: SUSE-SU-2023:2210-1 Rating: important References: * #1211210 Cross-References: * CVE-2023-30551 CVSS scores: * CVE-2023-30551 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-30551 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * Basesystem Module 15-SP4 * openSUSE Leap 15.4 * SUSE Linux Enterprise Desktop 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise Real Time 15 SP4 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.3 An update that solves one vulnerability and contains one feature can now be installed. ## Description: This update for rekor fixes the following issues: Updated to version 1.1.1 (jsc#SLE-23476): Functional Enhancements \- Refactor Trillian client with exported methods (#1454) \- Switch to official redis-go client (#1459) \- Remove replace in go.mod (#1444) \- Add Rekor OID info. (#1390) Quality Enhancements \- remove legacy encrypted cosign key (#1446) \- swap cjson dependency (#1441) \- Update release readme (#1456) Security fixes: \- CVE-2023-30551: Fixed a potential denial of service when processing JAR META-INF files or .SIGN/.PKINFO files in APK files (bsc#1211210). * updated to rekor 1.1.0 (jsc#SLE-23476): Functional Enhancements * improve validation on intoto v0.0.2 type (#1351) * add feature to limit HTTP request body length to process (#1334) * add information about the file size limit (#1313) * Add script to backfill Redis from Rekor (#1163) * Feature: add search support for sha512 (#1142) Quality Enhancements * various fuzzing fixes Bug Fixes * remove goroutine usage from SearchLogQuery (#1407) * drop log messages regarding attestation storage to debug (#1408) * fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309) * fix: fix regex for multi-digit counts (#1321) * return NotFound if treesize is 0 rather than calling trillian (#1311) * enumerate slice to get sugared logs (#1312) * put a reasonable size limit on ssh key reader (#1288) * CLIENT: Fix Custom Host and Path Issue (#1306) * do not persist local state if log is empty; fail consistency proofs from 0 size (#1290) * correctly handle invalid or missing pki format (#1281) * Add Verifier to get public key/cert and identities for entry type (#1210) * fix goroutine leak in client; add insecure TLS option (#1238) * Fix - Remove the force-recreate flag (#1179) * trim whitespace around public keys before parsing (#1175) * stop inserting envelope hash for intoto:0.0.2 types into index (#1171) * Revert "remove double encoding of payload and signature fields for intoto (#1150)" (#1158) * remove double encoding of payload and signature fields for intoto (#1150) * fix SearchLogQuery behavior to conform to openapi spec (#1145) * Remove pem-certificate-chain from client (#1138) * fix flag type for operator in search (#1136) * use sigstore/community dep review (#1132) ## Patch Instructions: To install this SUSE Important update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch openSUSE-SLE-15.4-2023-2210=1 * Basesystem Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-2210=1 ## Package List: * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64) * rekor-1.1.1-150400.4.9.1 * Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64) * rekor-1.1.1-150400.4.9.1 ## References: * https://www.suse.com/security/cve/CVE-2023-30551.html * https://bugzilla.suse.com/show_bug.cgi?id=1211210 * https://jira.suse.com/browse/SLE-23476