From dbe9cb9c1d8ed1a81dc816e834f9e2860902f7e9667f6bbb773344c6ae4e123b Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Tue, 30 May 2023 08:36:51 +0000 Subject: [PATCH] Accepting request 1089735 from home:msmeissn:branches:security - updated to rekor 1.2.1 (jsc#SLE-23476): Security fix: - CVE-2023-33199: Fixed that malformed proposed intoto v0.0.2 entries can cause a panic (bsc#1211790) Functional Enhancements - add client method to generate TLE struct (#1498) - add dsse type (#1487) - support other KMS providers (AWS, Azure, Hashicorp) in addition to GCP (#1488) - Add concurrency to backfill-redis (#1504) - omit informational message if machine-parseable output has been requested (#1486) - Publish stable checkpoint periodically to Redis (#1461) - Add intoto v0.0.2 to backfill script (#1500) - add new method to test insertability of proposed entries into log (#1410) Quality Enhancements - use t.Skip() in fuzzers (#1506) - improve fuzzing coverage (#1499) - Remove watcher script (#1484) Bug Fixes - Merge pull request from GHSA-frqx-jfcm-6jjr (CVE-2023-33199) - Remove requirement of PayloadHash for intoto 0.0.1 (#1490) - fix lint errors, bump linter up to 1.52 (#1485) - Remove dependencies from pkg/util (#1469) OBS-URL: https://build.opensuse.org/request/show/1089735 OBS-URL: https://build.opensuse.org/package/show/security/rekor?expand=0&rev=33 --- rekor-1.1.1.tar.gz | 3 --- rekor-1.2.1.tar.gz | 3 +++ rekor.changes | 33 +++++++++++++++++++++++++++++++++ rekor.spec | 4 ++-- vendor.tar.xz | 4 ++-- 5 files changed, 40 insertions(+), 7 deletions(-) delete mode 100644 rekor-1.1.1.tar.gz create mode 100644 rekor-1.2.1.tar.gz diff --git a/rekor-1.1.1.tar.gz b/rekor-1.1.1.tar.gz deleted file mode 100644 index b25e256..0000000 --- a/rekor-1.1.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:774a34cf4dbd126a30e510d8d4f36865fae4165f4a4c2d9625937cc2623bec9b -size 870643 diff --git a/rekor-1.2.1.tar.gz b/rekor-1.2.1.tar.gz new file mode 100644 index 0000000..aa24887 --- /dev/null +++ b/rekor-1.2.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7c90f30a81c9107e3887c8393d30bcd9cd52de2cc46f311ac68fc1fcdfd5019d +size 934956 diff --git a/rekor.changes b/rekor.changes index b538403..b3b53ea 100644 --- a/rekor.changes +++ b/rekor.changes @@ -1,3 +1,36 @@ +------------------------------------------------------------------- +Tue May 30 07:52:52 UTC 2023 - Marcus Meissner + +- updated to rekor 1.2.1 (jsc#SLE-23476): + + Security fix: + + - CVE-2023-33199: Fixed that malformed proposed intoto v0.0.2 entries can cause a panic (bsc#1211790) + + Functional Enhancements + + - add client method to generate TLE struct (#1498) + - add dsse type (#1487) + - support other KMS providers (AWS, Azure, Hashicorp) in addition to GCP (#1488) + - Add concurrency to backfill-redis (#1504) + - omit informational message if machine-parseable output has been requested (#1486) + - Publish stable checkpoint periodically to Redis (#1461) + - Add intoto v0.0.2 to backfill script (#1500) + - add new method to test insertability of proposed entries into log (#1410) + + Quality Enhancements + + - use t.Skip() in fuzzers (#1506) + - improve fuzzing coverage (#1499) + - Remove watcher script (#1484) + + Bug Fixes + + - Merge pull request from GHSA-frqx-jfcm-6jjr (CVE-2023-33199) + - Remove requirement of PayloadHash for intoto 0.0.1 (#1490) + - fix lint errors, bump linter up to 1.52 (#1485) + - Remove dependencies from pkg/util (#1469) + ------------------------------------------------------------------- Wed May 3 12:23:27 UTC 2023 - Marcus Meissner diff --git a/rekor.spec b/rekor.spec index ca93265..e726caa 100644 --- a/rekor.spec +++ b/rekor.spec @@ -19,9 +19,9 @@ %define apps cli server Name: rekor -Version: 1.1.1 +Version: 1.2.1 Release: 0 -%define revision 0c1914e5e955cb9f514e32b222cf61a13e91ab08 +%define revision 576458cb53269ed54dccf8a43271ee02a785c191 Summary: Supply Chain Transparency Log License: Apache-2.0 URL: https://github.com/sigstore/rekor diff --git a/vendor.tar.xz b/vendor.tar.xz index 1284db3..3f55759 100644 --- a/vendor.tar.xz +++ b/vendor.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:d4897ee6f6092ef597e670e560beed665e3559df94538c6faccb7e6b36065232 -size 4343516 +oid sha256:310fe439c2ada6b89a4340716a8b25497304c760f33cc9d6a26a2cca9e674838 +size 5692644