Security update for rekor

Announcement ID: SUSE-SU-2024:0460-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2023-48795 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE-2023-48795 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products:
  • Basesystem Module 15-SP5
  • openSUSE Leap 15.4
  • openSUSE Leap 15.5
  • SUSE Linux Enterprise Desktop 15 SP5
  • SUSE Linux Enterprise High Performance Computing 15 SP5
  • SUSE Linux Enterprise Real Time 15 SP5
  • SUSE Linux Enterprise Server 15 SP5
  • SUSE Linux Enterprise Server for SAP Applications 15 SP5

An update that solves one vulnerability and contains one feature can now be installed.

Description:

This update for rekor fixes the following issues:

update to 1.3.5 (jsc#SLE-23476):

  • Additional unique index correction
  • Remove timestamp from checkpoint
  • Drop conditional when verifying entry checkpoint
  • Fix panic for DSSE canonicalization
  • Change Redis value for locking mechanism
  • give log timestamps nanosecond precision
  • output trace in slog and override correlation header name

  • bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207)

Updated to 1.3.4:

  • add mysql indexstorage backend
  • add s3 storage for attestations
  • fix: Do not check for pubsub.topics.get on initialization
  • fix optional field in cose schema
  • Update ranges.go
  • update indexstorage interface to reduce roundtrips
  • use a single validator library in rekor-cli
  • Remove go-playground/validator dependency from pkg/pki

Updated to rekor 1.3.3 (jsc#SLE-23476):

  • Update signer flag description
  • update trillian to 1.5.3
  • adds redis_auth
  • Add method to get artifact hash for an entry
  • make e2e tests more usable with docker-compose
  • install go at correct version for codeql

Updated to rekor 1.3.2 (jsc#SLE-23476):

Updated to rekor 1.3.1 (jsc#SLE-23476):

New Features:

  • enable GCP cloud profiling on rekor-server (#1746)
  • move index storage into interface (#1741)
  • add info to readme to denote additional documentation sources (#1722)
  • Add type of ed25519 key for TUF (#1677)
  • Allow parsing base64-encoded TUF metadata and root content (#1671)

Quality Enhancements:

  • disable quota in trillian in test harness (#1680)

Bug Fixes:

  • Update contact for code of conduct (#1720)
  • Fix panic when parsing SSH SK pubkeys (#1712)
  • Correct index creation (#1708)
  • docs: fixzes a small typo on the readme (#1686)
  • chore: fix backfill-redis Makefile target (#1685)

Updated to rekor 1.3.0 (jsc#SLE-23476):

  • Update openapi.yaml (#1655)
  • pass transient errors through retrieveLogEntry (#1653)
  • return full entryID on HTTP 409 responses (#1650)
  • feat: Support publishing new log entries to Pub/Sub topics (#1580)
  • Change values of Identity.Raw, add fingerprints (#1628)
  • Extract all subjects from SANs for x509 verifier (#1632)
  • Fix type comment for Identity struct (#1619)
  • Refactor Identities API (#1611)
  • Refactor Verifiers to return multiple keys (#1601)
  • Update checkpoint link (#1597)
  • Use correct log index in inclusion proof (#1599)
  • remove instrumentation library (#1595)

Updated to rekor 1.2.2 (jsc#SLE-23476):

  • pass down error with message instead of nil
  • swap killswitch for 'docker-compose restart'

  • CVE-2023-48795: Fixed Terrapin attack in embedded golang.org/x/crypto/ssh (bsc#1218207).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.4
    zypper in -t patch SUSE-2024-460=1
  • openSUSE Leap 15.5
    zypper in -t patch openSUSE-SLE-15.5-2024-460=1
  • Basesystem Module 15-SP5
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2024-460=1

Package List:

  • openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
    • rekor-1.3.5-150400.4.19.1
    • rekor-debuginfo-1.3.5-150400.4.19.1
  • openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
    • rekor-1.3.5-150400.4.19.1
  • Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64)
    • rekor-1.3.5-150400.4.19.1

References: