SPIRE 1.4.3 and 1.3.5 have been released.
25 views
Skip to first unread message
SPIFFE Announce
Oct 5, 2022, 12:04:41 PM10/5/22
to SPIFFE Announce
Hello everyone,
The new security releases set the minimum server TLS version for these components to TLS 1.2.
The k8s-workload-registrar users that do not employ the CRD mode are not impacted.
Similarly, oidc-discovery-provider users that do not use the built-in ACME support are also not impacted.
A big thanks to Szilard Vincze for reporting this!
SPIRE versions 1.4.3 and 1.3.5 are now available in response to a vulnerability discovered in the k8s-workload-registrar and oidc-discovery provider during certain operational modes. Specifically, the webhook implemented in the k8s-workload-registrar CRD mode and the ACME web server in the oidc-discovery-provider fail to set the minimum server TLS version opening them up to insecure use of TLS 1.0 or 1.1 connections.
The new security releases set the minimum server TLS version for these components to TLS 1.2.
The k8s-workload-registrar users that do not employ the CRD mode are not impacted.
Similarly, oidc-discovery-provider users that do not use the built-in ACME support are also not impacted.
A big thanks to Szilard Vincze for reporting this!
Please visit the releases page to download the binary and source distributions:
Sincerely,
The SPIRE Team
Reply all
Reply to author
Forward
0 new messages