Security update for rekor

Announcement ID:	SUSE-SU-2024:0460-1
Rating:	important
References:	bsc#1218207 jsc#SLE-23476
Cross-References:	CVE-2023-48795
CVSS scores:	CVE-2023-48795 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2023-48795 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products:	Basesystem Module 15-SP5 openSUSE Leap 15.4 openSUSE Leap 15.5 SUSE Linux Enterprise Desktop 15 SP5 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise Real Time 15 SP5 SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP5

An update that solves one vulnerability and contains one feature can now be installed.

Description:

This update for rekor fixes the following issues:

update to 1.3.5 (jsc#SLE-23476):

Additional unique index correction
Remove timestamp from checkpoint
Drop conditional when verifying entry checkpoint
Fix panic for DSSE canonicalization
Change Redis value for locking mechanism
give log timestamps nanosecond precision
output trace in slog and override correlation header name
bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207)

Updated to 1.3.4:

add mysql indexstorage backend
add s3 storage for attestations
fix: Do not check for pubsub.topics.get on initialization
fix optional field in cose schema
Update ranges.go
update indexstorage interface to reduce roundtrips
use a single validator library in rekor-cli
Remove go-playground/validator dependency from pkg/pki

Updated to rekor 1.3.3 (jsc#SLE-23476):

Update signer flag description
update trillian to 1.5.3
adds redis_auth
Add method to get artifact hash for an entry
make e2e tests more usable with docker-compose
install go at correct version for codeql

Updated to rekor 1.3.2 (jsc#SLE-23476):

Updated to rekor 1.3.1 (jsc#SLE-23476):

New Features:

enable GCP cloud profiling on rekor-server (#1746)
move index storage into interface (#1741)
add info to readme to denote additional documentation sources (#1722)
Add type of ed25519 key for TUF (#1677)
Allow parsing base64-encoded TUF metadata and root content (#1671)

Quality Enhancements:

disable quota in trillian in test harness (#1680)

Bug Fixes:

Update contact for code of conduct (#1720)
Fix panic when parsing SSH SK pubkeys (#1712)
Correct index creation (#1708)
docs: fixzes a small typo on the readme (#1686)
chore: fix backfill-redis Makefile target (#1685)

Updated to rekor 1.3.0 (jsc#SLE-23476):

Update openapi.yaml (#1655)
pass transient errors through retrieveLogEntry (#1653)
return full entryID on HTTP 409 responses (#1650)
feat: Support publishing new log entries to Pub/Sub topics (#1580)
Change values of Identity.Raw, add fingerprints (#1628)
Extract all subjects from SANs for x509 verifier (#1632)
Fix type comment for Identity struct (#1619)
Refactor Identities API (#1611)
Refactor Verifiers to return multiple keys (#1601)
Update checkpoint link (#1597)
Use correct log index in inclusion proof (#1599)
remove instrumentation library (#1595)

Updated to rekor 1.2.2 (jsc#SLE-23476):

pass down error with message instead of nil
swap killswitch for 'docker-compose restart'
CVE-2023-48795: Fixed Terrapin attack in embedded golang.org/x/crypto/ssh (bsc#1218207).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

openSUSE Leap 15.4
zypper in -t patch SUSE-2024-460=1
openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-460=1
Basesystem Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2024-460=1

Package List:

openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
- rekor-debuginfo-1.3.5-150400.4.19.1
- rekor-1.3.5-150400.4.19.1
openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
- rekor-1.3.5-150400.4.19.1
Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64)
- rekor-1.3.5-150400.4.19.1

Security update for rekor

Description:

Patch Instructions:

Package List:

References: