{"affected":[{"ecosystem_specific":{"binaries":[{"rekor":"1.1.1-150400.4.9.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Basesystem 15 SP4","name":"rekor","purl":"pkg:rpm/suse/rekor&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.1.1-150400.4.9.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"rekor":"1.1.1-150400.4.9.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.4","name":"rekor","purl":"pkg:rpm/opensuse/rekor&distro=openSUSE%20Leap%2015.4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.1.1-150400.4.9.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for rekor fixes the following issues:\n\nUpdated to version 1.1.1 (jsc#SLE-23476):\n\n  Functional Enhancements\n  - Refactor Trillian client with exported methods (#1454)\n  - Switch to official redis-go client (#1459)\n  - Remove replace in go.mod (#1444)\n  - Add Rekor OID info. (#1390)\n  Quality Enhancements\n  - remove legacy encrypted cosign key (#1446)\n  - swap cjson dependency (#1441)\n  - Update release readme (#1456)\n  Security fixes:\n  - CVE-2023-30551: Fixed a potential denial of service when processing \n    JAR META-INF files or .SIGN/.PKINFO files in APK files (bsc#1211210).\n\n- updated to rekor 1.1.0 (jsc#SLE-23476):\n  Functional Enhancements\n  - improve validation on intoto v0.0.2 type (#1351)\n  - add feature to limit HTTP request body length to process (#1334)\n  - add information about the file size limit (#1313)\n  - Add script to backfill Redis from Rekor (#1163)\n  - Feature: add search support for sha512 (#1142)\n  Quality Enhancements\n  - various fuzzing fixes\n  Bug Fixes\n  - remove goroutine usage from SearchLogQuery (#1407)\n  - drop log messages regarding attestation storage to debug (#1408)\n  - fix validation for proposed vs committed log entries for intoto v0.0.1 (#1309)\n  - fix: fix regex for multi-digit counts (#1321)\n  - return NotFound if treesize is 0 rather than calling trillian (#1311)\n  - enumerate slice to get sugared logs (#1312)\n  - put a reasonable size limit on ssh key reader (#1288)\n  - CLIENT: Fix Custom Host and Path Issue (#1306)\n  - do not persist local state if log is empty; fail consistency proofs from 0 size (#1290)\n  - correctly handle invalid or missing pki format (#1281)\n  - Add Verifier to get public key/cert and identities for entry type (#1210)\n  - fix goroutine leak in client; add insecure TLS option (#1238)\n  - Fix - Remove the force-recreate flag (#1179)\n  - trim whitespace around public keys before parsing (#1175)\n  - stop inserting envelope hash for intoto:0.0.2 types into index (#1171)\n  - Revert 'remove double encoding of payload and signature fields for intoto (#1150)' (#1158)\n  - remove double encoding of payload and signature fields for intoto (#1150)\n  - fix SearchLogQuery behavior to conform to openapi spec (#1145)\n  - Remove pem-certificate-chain from client (#1138)\n  - fix flag type for operator in search (#1136)\n  - use sigstore/community dep review (#1132)\n","id":"SUSE-SU-2023:2210-1","modified":"2023-05-16T08:45:59Z","published":"2023-05-16T08:45:59Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2023/suse-su-20232210-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1211210"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-30551"}],"related":["CVE-2023-30551"],"summary":"Security update for rekor","upstream":["CVE-2023-30551"]}