Accepting request 1089735 from home:msmeissn:branches:security

- updated to rekor 1.2.1 (jsc#SLE-23476):
  Security fix:
  - CVE-2023-33199: Fixed that malformed proposed intoto v0.0.2 entries can cause a panic (bsc#1211790)
  Functional Enhancements
  - add client method to generate TLE struct (#1498)
  - add dsse type (#1487)
  - support other KMS providers (AWS, Azure, Hashicorp) in addition to GCP (#1488)
  - Add concurrency to backfill-redis (#1504)
  - omit informational message if machine-parseable output has been requested (#1486)
  - Publish stable checkpoint periodically to Redis (#1461)
  - Add intoto v0.0.2 to backfill script (#1500)
  - add new method to test insertability of proposed entries into log (#1410)
  Quality Enhancements
  - use t.Skip() in fuzzers (#1506)
  - improve fuzzing coverage (#1499)
  - Remove watcher script (#1484)
  Bug Fixes
  - Merge pull request from GHSA-frqx-jfcm-6jjr (CVE-2023-33199)
  - Remove requirement of PayloadHash for intoto 0.0.1 (#1490)
  - fix lint errors, bump linter up to 1.52 (#1485)
  - Remove dependencies from pkg/util (#1469)

OBS-URL: https://build.opensuse.org/request/show/1089735
OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=33

rekor-1.1.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:774a34cf4dbd126a30e510d8d4f36865fae4165f4a4c2d9625937cc2623bec9b
-size 870643

rekor-1.2.1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7c90f30a81c9107e3887c8393d30bcd9cd52de2cc46f311ac68fc1fcdfd5019d
+size 934956

rekor.changes

@@ -1,3 +1,36 @@
+-------------------------------------------------------------------
+Tue May 30 07:52:52 UTC 2023 - Marcus Meissner <meissner@suse.com>
+
+- updated to rekor 1.2.1 (jsc#SLE-23476):
+
+  Security fix:
+
+  - CVE-2023-33199: Fixed that malformed proposed intoto v0.0.2 entries can cause a panic (bsc#1211790)
+
+  Functional Enhancements
+
+  - add client method to generate TLE struct (#1498)
+  - add dsse type (#1487)
+  - support other KMS providers (AWS, Azure, Hashicorp) in addition to GCP (#1488)
+  - Add concurrency to backfill-redis (#1504)
+  - omit informational message if machine-parseable output has been requested (#1486)
+  - Publish stable checkpoint periodically to Redis (#1461)
+  - Add intoto v0.0.2 to backfill script (#1500)
+  - add new method to test insertability of proposed entries into log (#1410)
+
+  Quality Enhancements
+
+  - use t.Skip() in fuzzers (#1506)
+  - improve fuzzing coverage (#1499)
+  - Remove watcher script (#1484)
+
+  Bug Fixes
+
+  - Merge pull request from GHSA-frqx-jfcm-6jjr (CVE-2023-33199)
+  - Remove requirement of PayloadHash for intoto 0.0.1 (#1490)
+  - fix lint errors, bump linter up to 1.52 (#1485)
+  - Remove dependencies from pkg/util (#1469)
+
 -------------------------------------------------------------------
 Wed May  3 12:23:27 UTC 2023 - Marcus Meissner <meissner@suse.com>
 

rekor.spec

@@ -19,9 +19,9 @@
 %define apps cli server
 
 Name:           rekor
-Version:        1.1.1
+Version:        1.2.1
 Release:        0
-%define revision 0c1914e5e955cb9f514e32b222cf61a13e91ab08
+%define revision 576458cb53269ed54dccf8a43271ee02a785c191
 Summary:        Supply Chain Transparency Log
 License:        Apache-2.0
 URL:            https://github.com/sigstore/rekor

vendor.tar.xz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:d4897ee6f6092ef597e670e560beed665e3559df94538c6faccb7e6b36065232
-size 4343516
+oid sha256:310fe439c2ada6b89a4340716a8b25497304c760f33cc9d6a26a2cca9e674838
+size 5692644