Security update for rekor

Announcement ID:	SUSE-SU-2023:2210-1
Rating:	important
References:	bsc#1211210 jsc#SLE-23476
Cross-References:	CVE-2023-30551
CVSS scores:	CVE-2023-30551 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-30551 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	Basesystem Module 15-SP4 openSUSE Leap 15.4 SUSE Linux Enterprise Desktop 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise Real Time 15 SP4 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Manager Proxy 4.3 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.3

An update that solves one vulnerability and contains one feature can now be installed.

Description:

This update for rekor fixes the following issues:

Updated to version 1.1.1 (jsc#SLE-23476):

Functional Enhancements - Refactor Trillian client with exported methods (#1454) - Switch to official redis-go client (#1459) - Remove replace in go.mod (#1444) - Add Rekor OID info. (#1390) Quality Enhancements - remove legacy encrypted cosign key (#1446) - swap cjson dependency (#1441) - Update release readme (#1456) Security fixes: - CVE-2023-30551: Fixed a potential denial of service when processing JAR META-INF files or .SIGN/.PKINFO files in APK files (bsc#1211210).

• updated to rekor 1.1.0 (jsc#SLE-23476): Functional Enhancements
• improve validation on intoto v0.0.2 type (#1351)
• add feature to limit HTTP request body length to process (#1334)
• add information about the file size limit (#1313)
• Add script to backfill Redis from Rekor (#1163)
• Feature: add search support for sha512 (#1142) Quality Enhancements
• various fuzzing fixes Bug Fixes
• remove goroutine usage from SearchLogQuery (#1407)
• drop log messages regarding attestation storage to debug (#1408)
• fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309)
• fix: fix regex for multi-digit counts (#1321)
• return NotFound if treesize is 0 rather than calling trillian (#1311)
• enumerate slice to get sugared logs (#1312)
• put a reasonable size limit on ssh key reader (#1288)
• CLIENT: Fix Custom Host and Path Issue (#1306)
• do not persist local state if log is empty; fail consistency proofs from 0 size (#1290)
• correctly handle invalid or missing pki format (#1281)
• Add Verifier to get public key/cert and identities for entry type (#1210)
• fix goroutine leak in client; add insecure TLS option (#1238)
• Fix - Remove the force-recreate flag (#1179)
• trim whitespace around public keys before parsing (#1175)
• stop inserting envelope hash for intoto:0.0.2 types into index (#1171)
• Revert "remove double encoding of payload and signature fields for intoto (#1150)" (#1158)
• remove double encoding of payload and signature fields for intoto (#1150)
• fix SearchLogQuery behavior to conform to openapi spec (#1145)
• Remove pem-certificate-chain from client (#1138)
• fix flag type for operator in search (#1136)
• use sigstore/community dep review (#1132)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.4
  zypper in -t patch openSUSE-SLE-15.4-2023-2210=1
• Basesystem Module 15-SP4
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-2210=1

Package List:

• openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
  • rekor-1.1.1-150400.4.9.1
• Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64)
  • rekor-1.1.1-150400.4.9.1

References:

• https://www.suse.com/security/cve/CVE-2023-30551.html
• https://bugzilla.suse.com/show_bug.cgi?id=1211210
• https://jira.suse.com/browse/SLE-23476