<div class="container">
<h1>Security update for rekor</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2023:2210-1</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1211210">#1211210</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-30551.html">CVE-2023-30551</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-30551</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-30551</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">Basesystem Module 15-SP4</li>
<li class="list-group-item">openSUSE Leap 15.4</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP4</li>
<li class="list-group-item">SUSE Manager Proxy 4.3</li>
<li class="list-group-item">SUSE Manager Retail Branch Server 4.3</li>
<li class="list-group-item">SUSE Manager Server 4.3</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves one vulnerability and contains one feature can now be installed.</p>
<h2>Description:</h2>
<p>This update for rekor fixes the following issues:</p>
<p>Updated to version 1.1.1 (jsc#SLE-23476):</p>
<p>Functional Enhancements
- Refactor Trillian client with exported methods (#1454)
- Switch to official redis-go client (#1459)
- Remove replace in go.mod (#1444)
- Add Rekor OID info. (#1390)
Quality Enhancements
- remove legacy encrypted cosign key (#1446)
- swap cjson dependency (#1441)
- Update release readme (#1456)
Security fixes:
- CVE-2023-30551: Fixed a potential denial of service when processing
JAR META-INF files or .SIGN/.PKINFO files in APK files (bsc#1211210).</p>
<ul>
<li>updated to rekor 1.1.0 (jsc#SLE-23476):
Functional Enhancements</li>
<li>improve validation on intoto v0.0.2 type (#1351)</li>
<li>add feature to limit HTTP request body length to process (#1334)</li>
<li>add information about the file size limit (#1313)</li>
<li>Add script to backfill Redis from Rekor (#1163)</li>
<li>Feature: add search support for sha512 (#1142)
Quality Enhancements</li>
<li>various fuzzing fixes
Bug Fixes</li>
<li>remove goroutine usage from SearchLogQuery (#1407)</li>
<li>drop log messages regarding attestation storage to debug (#1408)</li>
<li>fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309)</li>
<li>fix: fix regex for multi-digit counts (#1321)</li>
<li>return NotFound if treesize is 0 rather than calling trillian (#1311)</li>
<li>enumerate slice to get sugared logs (#1312)</li>
<li>put a reasonable size limit on ssh key reader (#1288)</li>
<li>CLIENT: Fix Custom Host and Path Issue (#1306)</li>
<li>do not persist local state if log is empty; fail consistency proofs from 0 size (#1290)</li>
<li>correctly handle invalid or missing pki format (#1281)</li>
<li>Add Verifier to get public key/cert and identities for entry type (#1210)</li>
<li>fix goroutine leak in client; add insecure TLS option (#1238)</li>
<li>Fix - Remove the force-recreate flag (#1179)</li>
<li>trim whitespace around public keys before parsing (#1175)</li>
<li>stop inserting envelope hash for intoto:0.0.2 types into index (#1171)</li>
<li>Revert "remove double encoding of payload and signature fields for intoto (#1150)" (#1158)</li>
<li>remove double encoding of payload and signature fields for intoto (#1150)</li>
<li>fix SearchLogQuery behavior to conform to openapi spec (#1145)</li>
<li>Remove pem-certificate-chain from client (#1138)</li>
<li>fix flag type for operator in search (#1136)</li>
<li>use sigstore/community dep review (#1132)</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE Important update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
openSUSE Leap 15.4
<br/>
<code>zypper in -t patch openSUSE-SLE-15.4-2023-2210=1</code>
</li>
<li class="list-group-item">
Basesystem Module 15-SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-2210=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
<ul>
<li>rekor-1.1.1-150400.4.9.1</li>
</ul>
</li>
<li>
Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64)
<ul>
<li>rekor-1.1.1-150400.4.9.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2023-30551.html">https://www.suse.com/security/cve/CVE-2023-30551.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1211210">https://bugzilla.suse.com/show_bug.cgi?id=1211210</a>
</li>
<li>
<a href="https://jira.suse.com/browse/SLE-23476">https://jira.suse.com/browse/SLE-23476</a>
</li>
</ul>
</div>