- GHSA-273p-m2cw-6833 / CVE-2026-23831 / bsc#1257132: Fixed lack of input validation thatg can cause a thread crash
- GHSA-j5w8-q4qc-rx2x / CVE-2025-58181 / bsc#1253817: Fixed golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=64
- Update to version 1.4.1 (jsc#SLE-23476)::
* build(deps): Bump github.com/ulikunitz/xz from 0.5.12 to 0.5.14 (#2596)
CVE-2025-58058: rekor: github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory: (bsc#1248910)
* build(deps): Bump github.com/redis/go-redis/v9 from 9.11.0 to 9.12.1
CVE-2025-29923: rekor: github.com/redis/go-redis: potential out of order responses when `CLIENT SETINFO` times out during connection establishment (bsc#1241153)
* use less expensive gRPC call to implement GetLeafAndProofByHash (#2581)
* move to per-shard trillian client manager (#2564)
* use cheaper gRPC endpoint when we already have the inclusion proof (#2580)
* simplify hash and signature verification in rekord type (#2579)
* return correct error if GetLeafAndProofByHash fails (#2574) (forwarded request 1302193 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/1302197
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=28
* build(deps): Bump github.com/ulikunitz/xz from 0.5.12 to 0.5.14 (#2596)
CVE-2025-58058: rekor: github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory: (bsc#1248910)
* build(deps): Bump github.com/redis/go-redis/v9 from 9.11.0 to 9.12.1
CVE-2025-29923: rekor: github.com/redis/go-redis: potential out of order responses when `CLIENT SETINFO` times out during connection establishment (bsc#1241153)
* use less expensive gRPC call to implement GetLeafAndProofByHash (#2581)
* move to per-shard trillian client manager (#2564)
* use cheaper gRPC endpoint when we already have the inclusion proof (#2580)
* simplify hash and signature verification in rekord type (#2579)
* return correct error if GetLeafAndProofByHash fails (#2574)
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=56
* Security fixes (over the last releases):
- CVE-2024-6104: rekor: hashicorp/go-retryablehttp: url might write sensitive information to log file (bsc#1227053)
- CVE-2023-45288: rekor: golang.org/x/net/http2: close connections when receiving too many headers (bsc#1236519)
- CVE-2025-27144: rekor: gopkg.in/go-jose/go-jose.v2,github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3: Go JOSE's Parsing Vulnerable to Denial of Service (bsc#1237638)
- CVE-2025-22868: rekor: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239191)
- CVE-2025-22869: rekor: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239327)
- CVE-2025-30204: rekor: github.com/golang-jwt/jwt/v5: jwt-go allows excessive memory allocation during header parsing (bsc#1240468) (forwarded request 1268973 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/1268974
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=26
- CVE-2024-6104: rekor: hashicorp/go-retryablehttp: url might write sensitive information to log file (bsc#1227053)
- CVE-2023-45288: rekor: golang.org/x/net/http2: close connections when receiving too many headers (bsc#1236519)
- CVE-2025-27144: rekor: gopkg.in/go-jose/go-jose.v2,github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3: Go JOSE's Parsing Vulnerable to Denial of Service (bsc#1237638)
- CVE-2025-22868: rekor: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239191)
- CVE-2025-22869: rekor: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239327)
- CVE-2025-30204: rekor: github.com/golang-jwt/jwt/v5: jwt-go allows excessive memory allocation during header parsing (bsc#1240468)
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=52
- update to 1.3.5 (jsc#SLE-23476):
- Additional unique index correction
- Remove timestamp from checkpoint
- Drop conditional when verifying entry checkpoint
- Fix panic for DSSE canonicalization
- Change Redis value for locking mechanism
- give log timestamps nanosecond precision
- output trace in slog and override correlation header name
- bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207) (forwarded request 1144325 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/1144326
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=21
- update to 1.3.5 (jsc#SLE-23476):
- Additional unique index correction
- Remove timestamp from checkpoint
- Drop conditional when verifying entry checkpoint
- Fix panic for DSSE canonicalization
- Change Redis value for locking mechanism
- give log timestamps nanosecond precision
- output trace in slog and override correlation header name
- bumped embedded golang.org/x/crypto/ssh to fix the Terrapin attack CVE-2023-48795 (bsc#1218207)
OBS-URL: https://build.opensuse.org/request/show/1144325
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=41
- update to 1.3.4:
* add mysql indexstorage backend
* add s3 storage for attestations
* fix: Do not check for pubsub.topics.get on initialization
* fix optional field in cose schema
* Update ranges.go
* update indexstorage interface to reduce roundtrips
* use a single validator library in rekor-cli
* Remove go-playground/validator dependency from pkg/pki
OBS-URL: https://build.opensuse.org/request/show/1142127
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=39
- updated to rekor 1.3.3 (jsc#SLE-23476):
- Update signer flag description
- update trillian to 1.5.3
- adds redis_auth
- Add method to get artifact hash for an entry
- make e2e tests more usable with docker-compose
- install go at correct version for codeql
- updated to rekor 1.3.2 (jsc#SLE-23476):
- updated to rekor 1.3.1 (jsc#SLE-23476):
New Features:
- enable GCP cloud profiling on rekor-server (#1746)
- move index storage into interface (#1741)
- add info to readme to denote additional documentation sources (#1722)
- Add type of ed25519 key for TUF (#1677)
- Allow parsing base64-encoded TUF metadata and root content (#1671)
Quality Enhancements:
- disable quota in trillian in test harness (#1680)
Bug Fixes:
- Update contact for code of conduct (#1720)
- Fix panic when parsing SSH SK pubkeys (#1712)
- Correct index creation (#1708)
- docs: fixzes a small typo on the readme (#1686)
- chore: fix backfill-redis Makefile target (#1685) (forwarded request 1128621 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/1128622
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=19
- updated to rekor 1.3.3 (jsc#SLE-23476):
- Update signer flag description
- update trillian to 1.5.3
- adds redis_auth
- Add method to get artifact hash for an entry
- make e2e tests more usable with docker-compose
- install go at correct version for codeql
- updated to rekor 1.3.2 (jsc#SLE-23476):
- updated to rekor 1.3.1 (jsc#SLE-23476):
New Features:
- enable GCP cloud profiling on rekor-server (#1746)
- move index storage into interface (#1741)
- add info to readme to denote additional documentation sources (#1722)
- Add type of ed25519 key for TUF (#1677)
- Allow parsing base64-encoded TUF metadata and root content (#1671)
Quality Enhancements:
- disable quota in trillian in test harness (#1680)
Bug Fixes:
- Update contact for code of conduct (#1720)
- Fix panic when parsing SSH SK pubkeys (#1712)
- Correct index creation (#1708)
- docs: fixzes a small typo on the readme (#1686)
- chore: fix backfill-redis Makefile target (#1685)
OBS-URL: https://build.opensuse.org/request/show/1128621
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=37
- updated to rekor 1.3.0 (jsc#SLE-23476):
- Update openapi.yaml (#1655)
- pass transient errors through retrieveLogEntry (#1653)
- return full entryID on HTTP 409 responses (#1650)
- feat: Support publishing new log entries to Pub/Sub topics (#1580)
- Change values of Identity.Raw, add fingerprints (#1628)
- Extract all subjects from SANs for x509 verifier (#1632)
- Fix type comment for Identity struct (#1619)
- Refactor Identities API (#1611)
- Refactor Verifiers to return multiple keys (#1601)
- Update checkpoint link (#1597)
- Use correct log index in inclusion proof (#1599)
- remove instrumentation library (#1595)
- updated to rekor 1.2.2 (jsc#SLE-23476):
- pass down error with message instead of nil
- swap killswitch for 'docker-compose restart' (forwarded request 1108429 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/1108430
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=18
- updated to rekor 1.3.0 (jsc#SLE-23476):
- Update openapi.yaml (#1655)
- pass transient errors through retrieveLogEntry (#1653)
- return full entryID on HTTP 409 responses (#1650)
- feat: Support publishing new log entries to Pub/Sub topics (#1580)
- Change values of Identity.Raw, add fingerprints (#1628)
- Extract all subjects from SANs for x509 verifier (#1632)
- Fix type comment for Identity struct (#1619)
- Refactor Identities API (#1611)
- Refactor Verifiers to return multiple keys (#1601)
- Update checkpoint link (#1597)
- Use correct log index in inclusion proof (#1599)
- remove instrumentation library (#1595)
- updated to rekor 1.2.2 (jsc#SLE-23476):
- pass down error with message instead of nil
- swap killswitch for 'docker-compose restart'
OBS-URL: https://build.opensuse.org/request/show/1108429
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=35
- updated to rekor 1.2.1 (jsc#SLE-23476):
Security fix:
- CVE-2023-33199: Fixed that malformed proposed intoto v0.0.2 entries can cause a panic (bsc#1211790)
Functional Enhancements
- add client method to generate TLE struct (#1498)
- add dsse type (#1487)
- support other KMS providers (AWS, Azure, Hashicorp) in addition to GCP (#1488)
- Add concurrency to backfill-redis (#1504)
- omit informational message if machine-parseable output has been requested (#1486)
- Publish stable checkpoint periodically to Redis (#1461)
- Add intoto v0.0.2 to backfill script (#1500)
- add new method to test insertability of proposed entries into log (#1410)
Quality Enhancements
- use t.Skip() in fuzzers (#1506)
- improve fuzzing coverage (#1499)
- Remove watcher script (#1484)
Bug Fixes
- Merge pull request from GHSA-frqx-jfcm-6jjr (CVE-2023-33199)
- Remove requirement of PayloadHash for intoto 0.0.1 (#1490)
- fix lint errors, bump linter up to 1.52 (#1485)
- Remove dependencies from pkg/util (#1469) (forwarded request 1089735 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/1089753
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=17
- updated to rekor 1.2.1 (jsc#SLE-23476):
Security fix:
- CVE-2023-33199: Fixed that malformed proposed intoto v0.0.2 entries can cause a panic (bsc#1211790)
Functional Enhancements
- add client method to generate TLE struct (#1498)
- add dsse type (#1487)
- support other KMS providers (AWS, Azure, Hashicorp) in addition to GCP (#1488)
- Add concurrency to backfill-redis (#1504)
- omit informational message if machine-parseable output has been requested (#1486)
- Publish stable checkpoint periodically to Redis (#1461)
- Add intoto v0.0.2 to backfill script (#1500)
- add new method to test insertability of proposed entries into log (#1410)
Quality Enhancements
- use t.Skip() in fuzzers (#1506)
- improve fuzzing coverage (#1499)
- Remove watcher script (#1484)
Bug Fixes
- Merge pull request from GHSA-frqx-jfcm-6jjr (CVE-2023-33199)
- Remove requirement of PayloadHash for intoto 0.0.1 (#1490)
- fix lint errors, bump linter up to 1.52 (#1485)
- Remove dependencies from pkg/util (#1469)
OBS-URL: https://build.opensuse.org/request/show/1089735
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=33
- updated to rekor 1.1.0 (jsc#SLE-23476):
Functional Enhancements
- improve validation on intoto v0.0.2 type (#1351)
- add feature to limit HTTP request body length to process (#1334)
- add information about the file size limit (#1313)
- Add script to backfill Redis from Rekor (#1163)
- Feature: add search support for sha512 (#1142)
Quality Enhancements
- various fuzzing fixes
Bug Fixes
- remove goroutine usage from SearchLogQuery (#1407)
- drop log messages regarding attestation storage to debug (#1408)
- fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309)
- fix: fix regex for multi-digit counts (#1321)
- return NotFound if treesize is 0 rather than calling trillian (#1311)
- enumerate slice to get sugared logs (#1312)
- put a reasonable size limit on ssh key reader (#1288)
- CLIENT: Fix Custom Host and Path Issue (#1306)
- do not persist local state if log is empty; fail consistency proofs from 0 size (#1290)
- correctly handle invalid or missing pki format (#1281)
- Add Verifier to get public key/cert and identities for entry type (#1210)
- fix goroutine leak in client; add insecure TLS option (#1238)
- Fix - Remove the force-recreate flag (#1179)
- trim whitespace around public keys before parsing (#1175)
- stop inserting envelope hash for intoto:0.0.2 types into index (#1171)
- Revert "remove double encoding of payload and signature fields for intoto (#1150)" (#1158)
- remove double encoding of payload and signature fields for intoto (#1150)
- fix SearchLogQuery behavior to conform to openapi spec (#1145)
- Remove pem-certificate-chain from client (#1138)
- fix flag type for operator in search (#1136) (forwarded request 1077454 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/1077494
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=14
- updated to rekor 1.1.0 (jsc#SLE-23476):
Functional Enhancements
- improve validation on intoto v0.0.2 type (#1351)
- add feature to limit HTTP request body length to process (#1334)
- add information about the file size limit (#1313)
- Add script to backfill Redis from Rekor (#1163)
- Feature: add search support for sha512 (#1142)
Quality Enhancements
- various fuzzing fixes
Bug Fixes
- remove goroutine usage from SearchLogQuery (#1407)
- drop log messages regarding attestation storage to debug (#1408)
- fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309)
- fix: fix regex for multi-digit counts (#1321)
- return NotFound if treesize is 0 rather than calling trillian (#1311)
- enumerate slice to get sugared logs (#1312)
- put a reasonable size limit on ssh key reader (#1288)
- CLIENT: Fix Custom Host and Path Issue (#1306)
- do not persist local state if log is empty; fail consistency proofs from 0 size (#1290)
- correctly handle invalid or missing pki format (#1281)
- Add Verifier to get public key/cert and identities for entry type (#1210)
- fix goroutine leak in client; add insecure TLS option (#1238)
- Fix - Remove the force-recreate flag (#1179)
- trim whitespace around public keys before parsing (#1175)
- stop inserting envelope hash for intoto:0.0.2 types into index (#1171)
- Revert "remove double encoding of payload and signature fields for intoto (#1150)" (#1158)
- remove double encoding of payload and signature fields for intoto (#1150)
- fix SearchLogQuery behavior to conform to openapi spec (#1145)
- Remove pem-certificate-chain from client (#1138)
- fix flag type for operator in search (#1136)
OBS-URL: https://build.opensuse.org/request/show/1077454
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=27
- updated to rekor 0.12.1 (jsc#SLE-23476):
- ** Rekor ** v0.12.1 comes with a breaking change to rekor-cli v0.12.1. Users of rekor-cli MUST upgrade to the latest version
The addition of the intotov2 created a breaking change for the rekor-cli
- What's Changed
- fix: fix harness tests with intoto v0.0.2 by @asraa in #1052
- feat: add file based signer and password by @asraa in #1049
- Adds new rekor metrics for latency and QPS. by @var-sdk in #1059
OBS-URL: https://build.opensuse.org/request/show/1006397
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=10
- updated to rekor 0.12.1 (jsc#SLE-23476):
- ** Rekor ** v0.12.1 comes with a breaking change to rekor-cli v0.12.1. Users of rekor-cli MUST upgrade to the latest version
The addition of the intotov2 created a breaking change for the rekor-cli
- What's Changed
- fix: fix harness tests with intoto v0.0.2 by @asraa in #1052
- feat: add file based signer and password by @asraa in #1049
- Adds new rekor metrics for latency and QPS. by @var-sdk in #1059
OBS-URL: https://build.opensuse.org/request/show/1006388
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=18
- updated to rekor 0.12.0 (jsc#SLE-23476):
- check supportedVersions list rather than directly reading from version map by @bobcallaway in #1003
- enable blocking specific pluggable type versions from being inserted into the log by @bobcallaway in #1004
- api.SearchLogQueryHandler thread safety by @cdris in #1006
- 'docker compose' to 'docker-compose' by @bobcallaway in #1009
- Intoto v0.0.2 by @pxp928 in #973
- Add bounds on number of elements in api/v1/log/entries/retrieve by @priyawadhwa in #1011
- Change Checkpoint origin to be "Hostname - Tree ID" by @haydentherapper in #1013
- feat: add verification functions by @asraa in #986
- Validate tree ID on calls to /api/v1/log/entries/retrieve by @priyawadhwa in #1017
- Include checkpoint (STH) in entry upload and retrieve responses by @haydentherapper in #1015
- fix: use entry uuid uniformly in return responses by @asraa in #1012
- remove /api/v1/version endpoint by @bobcallaway in #1022
- Fix rekor-cli backwards incompatibility & run harness tests against HEAD by @priyawadhwa in #1030
- Fix harness tests @ main by @priyawadhwa in #1038
- Fetch all tags in harness tests by @priyawadhwa in #1039
- fix retrieve endpoint response code and add testing by @asraa in #1043
- updated to rekor 0.11.0:
- Add rekor harness tests by @priyawadhwa in #945
- Persist and check attestations across harness tests by @priyawadhwa in #952
- Add harness test for getting all entries by UUID and EntryID by @priyawadhwa in #957
- api: fix inclusion proof verification flake by @asraa in #956
- change default value for rekor_server.hostname to server's hostname by @bobcallaway in #963
- fix nil-pointer error when artifact-hash is passed without artifact by @dsa0x in #965
- Add prometheus summary to track metric latency by @priyawadhwa in #966
- compute payload and envelope hashes upon validating intoto proposed entries by @bobcallaway in #967
- update field documentation on publicKey for hashedrekord by @bobcallaway in #969
- Allow sharding config to be written in yaml or json by @priyawadhwa in #974
- fix incorrect schema id for cose type by @bobcallaway in #979
- fix: make rekor verify work with sharded uuids by @asraa in #970 (forwarded request 1003862 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/1003863
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rekor?expand=0&rev=9
- updated to rekor 0.12.0 (jsc#SLE-23476):
- check supportedVersions list rather than directly reading from version map by @bobcallaway in #1003
- enable blocking specific pluggable type versions from being inserted into the log by @bobcallaway in #1004
- api.SearchLogQueryHandler thread safety by @cdris in #1006
- 'docker compose' to 'docker-compose' by @bobcallaway in #1009
- Intoto v0.0.2 by @pxp928 in #973
- Add bounds on number of elements in api/v1/log/entries/retrieve by @priyawadhwa in #1011
- Change Checkpoint origin to be "Hostname - Tree ID" by @haydentherapper in #1013
- feat: add verification functions by @asraa in #986
- Validate tree ID on calls to /api/v1/log/entries/retrieve by @priyawadhwa in #1017
- Include checkpoint (STH) in entry upload and retrieve responses by @haydentherapper in #1015
- fix: use entry uuid uniformly in return responses by @asraa in #1012
- remove /api/v1/version endpoint by @bobcallaway in #1022
- Fix rekor-cli backwards incompatibility & run harness tests against HEAD by @priyawadhwa in #1030
- Fix harness tests @ main by @priyawadhwa in #1038
- Fetch all tags in harness tests by @priyawadhwa in #1039
- fix retrieve endpoint response code and add testing by @asraa in #1043
- updated to rekor 0.11.0:
- Add rekor harness tests by @priyawadhwa in #945
- Persist and check attestations across harness tests by @priyawadhwa in #952
- Add harness test for getting all entries by UUID and EntryID by @priyawadhwa in #957
- api: fix inclusion proof verification flake by @asraa in #956
- change default value for rekor_server.hostname to server's hostname by @bobcallaway in #963
- fix nil-pointer error when artifact-hash is passed without artifact by @dsa0x in #965
- Add prometheus summary to track metric latency by @priyawadhwa in #966
- compute payload and envelope hashes upon validating intoto proposed entries by @bobcallaway in #967
- update field documentation on publicKey for hashedrekord by @bobcallaway in #969
- Allow sharding config to be written in yaml or json by @priyawadhwa in #974
- fix incorrect schema id for cose type by @bobcallaway in #979
- fix: make rekor verify work with sharded uuids by @asraa in #970
OBS-URL: https://build.opensuse.org/request/show/1003862
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=16
