[ANNOUNCE] Release 5.3
1 view
Skip to first unread message
Jan Kiszka
May 27, 2026, 12:47:54 PM (3 days ago) May 27
to kas-...@googlegroups.com
Hi all,
A new release 5.3 is available. A big thanks to all contributors:
David Hotham, Diogo Silva, Felix Moessbauer, Jan Kiszka, Jose Quaresma,
Khem Raj, Yasushi SHOJI
Note that this release is addressing two security issues potentially
affecting the integrity checks of upstream repositories. Please see the
related security advisories [1][2] for further details about what went
wrong and if you are affected. We consider both issues low in
criticality, though, because additional conditions have to be met.
Before you ask: Both were not AI reports, but an AI report induced them
by looking from different angles at the code and then trying to find
exploits for one issue, triggering the classic discovery of the second.
Highlights in 5.3
- kas: git: Avoid checking out sha-like branches as commits (CVE-2026-47191)
- kas: verify signatures prior to checkout (CVE-2026-47192)
- kas: strip credentials from attestation also if token is used
- kas: ensure _source_dir is only set from main config file
- kas: ensure git-clone path is not processed as option
- kas: drop never correctly support for absolute include path
- kas: limit include path traversals to repository
- kas: Warn about repos with branches but without commit or lock file
- kas: create a CACHEDIR.TAG in the kas build directory
- kas: add Arch Linux to supported distros for locale settings
- kas: schema: switch default distro to nodistro
- kas: schema: enforce signer config constraints via schema
- kas: dump: Use 2 spaces as indention in generated yaml
- kas: Properly convert error list to string prior to output
- kas: improve printing of os version
- kas-container: do not construct image name if providing KAS_CONTAINER_IMAGE
- kas-container: Fix podman detection
- kas-container: do not process locale aliases
- kas-container: query system docker path in isar mode, not assuming it
- docs: Document a simpler way to disable layers in a repo
- docs: Clarify environment variable handling
- release: Publish both source and wheel to PyPI
Thanks,
Jan
https://github.com/siemens/kas/releases/tag/5.3
(41ad9612c8d56d0915d1c6f753d02eb23f9d6bca)
https://github.com/orgs/siemens/packages/container/package/kas%2Fkas
(ghcr.io/siemens/kas/kas:5.3@sha256:6645532ffd83ede1bc7c372cc652f0557945298ab1b88cf4c5d28bc861c43a56)
https://github.com/orgs/siemens/packages/container/package/kas%2Fkas-isar
(ghcr.io/siemens/kas/kas-isar:5.3@sha256:bd7d0beb6e02809a3b67a1c7c17c2891ce959b4c864fa768a130cc74ea0c5f32)
David Hotham (1):
scripts: Publish both source and wheel
Diogo Silva (1):
kas-container: Fix podman detection
Felix Moessbauer (20):
kas: improve printing of os version
diff: use correct spelling of kas
kas-container: add diff subcommand to usage
create a CACHEDIR.TAG in the kas build directory
add test for CACHEDIR.TAG creation in build dir
kas-container: query system docker path on isar mode
kas-container: do not construct image name if provided explicitly
kas-container: do not process locale aliases
fix(attestation): strip credentials also if token is used
test(attestation): check stripping of various kinds of credentials
includehandler: ensure _source_dir is only set from main config file
test: check _source_dir rejection in additional config files
repos(git-clone): ensure path is not processed as option
includehandler: drop incorrect check for absolute path
includehandler: limit path traversals to repository
test: add check for path traversal guards of includehandler
schema: enforce signer config constraints via schema
test: add check for signers schema constraints
repos: verify signatures prior to checkout
keyhandler: cache gpg keys across invocations
Jan Kiszka (11):
repos: Warn about repos with branches but without commit or lock file
tests: Check if branch without commit warning works
dump: Use 2 spaces as indention in generated yaml
ci: Update actions
examples: Document a simpler way to disable layers in a repo
Dockerfile: Account for (first) dependency changes in forky
libkas: Properly convert error list to string prior to output
plugins/clean: Drop redundant parameters for ConfigFile.load
repos: git: Avoid checking out sha-like branches as commits
tests: Add checkout of sha-like branch and tag
Release 5.3
Jose Quaresma (1):
schema: switch default distro to nodistro
Khem Raj (1):
context: add Arch Linux to debian/ubuntu/gentoo locale group
Yasushi SHOJI (1):
docs: command-line: Clarify environment variable handling
[1] https://github.com/siemens/kas/security/advisories/GHSA-qjwp-hrq6-r26r
[2] https://github.com/siemens/kas/security/advisories/GHSA-4vqc-wpwg-vh7j
--
Siemens AG, Foundational Technologies
Linux Expert Center
A new release 5.3 is available. A big thanks to all contributors:
David Hotham, Diogo Silva, Felix Moessbauer, Jan Kiszka, Jose Quaresma,
Khem Raj, Yasushi SHOJI
Note that this release is addressing two security issues potentially
affecting the integrity checks of upstream repositories. Please see the
related security advisories [1][2] for further details about what went
wrong and if you are affected. We consider both issues low in
criticality, though, because additional conditions have to be met.
Before you ask: Both were not AI reports, but an AI report induced them
by looking from different angles at the code and then trying to find
exploits for one issue, triggering the classic discovery of the second.
Highlights in 5.3
- kas: git: Avoid checking out sha-like branches as commits (CVE-2026-47191)
- kas: verify signatures prior to checkout (CVE-2026-47192)
- kas: strip credentials from attestation also if token is used
- kas: ensure _source_dir is only set from main config file
- kas: ensure git-clone path is not processed as option
- kas: drop never correctly support for absolute include path
- kas: limit include path traversals to repository
- kas: Warn about repos with branches but without commit or lock file
- kas: create a CACHEDIR.TAG in the kas build directory
- kas: add Arch Linux to supported distros for locale settings
- kas: schema: switch default distro to nodistro
- kas: schema: enforce signer config constraints via schema
- kas: dump: Use 2 spaces as indention in generated yaml
- kas: Properly convert error list to string prior to output
- kas: improve printing of os version
- kas-container: do not construct image name if providing KAS_CONTAINER_IMAGE
- kas-container: Fix podman detection
- kas-container: do not process locale aliases
- kas-container: query system docker path in isar mode, not assuming it
- docs: Document a simpler way to disable layers in a repo
- docs: Clarify environment variable handling
- release: Publish both source and wheel to PyPI
Thanks,
Jan
https://github.com/siemens/kas/releases/tag/5.3
(41ad9612c8d56d0915d1c6f753d02eb23f9d6bca)
https://github.com/orgs/siemens/packages/container/package/kas%2Fkas
(ghcr.io/siemens/kas/kas:5.3@sha256:6645532ffd83ede1bc7c372cc652f0557945298ab1b88cf4c5d28bc861c43a56)
https://github.com/orgs/siemens/packages/container/package/kas%2Fkas-isar
(ghcr.io/siemens/kas/kas-isar:5.3@sha256:bd7d0beb6e02809a3b67a1c7c17c2891ce959b4c864fa768a130cc74ea0c5f32)
David Hotham (1):
scripts: Publish both source and wheel
Diogo Silva (1):
kas-container: Fix podman detection
Felix Moessbauer (20):
kas: improve printing of os version
diff: use correct spelling of kas
kas-container: add diff subcommand to usage
create a CACHEDIR.TAG in the kas build directory
add test for CACHEDIR.TAG creation in build dir
kas-container: query system docker path on isar mode
kas-container: do not construct image name if provided explicitly
kas-container: do not process locale aliases
fix(attestation): strip credentials also if token is used
test(attestation): check stripping of various kinds of credentials
includehandler: ensure _source_dir is only set from main config file
test: check _source_dir rejection in additional config files
repos(git-clone): ensure path is not processed as option
includehandler: drop incorrect check for absolute path
includehandler: limit path traversals to repository
test: add check for path traversal guards of includehandler
schema: enforce signer config constraints via schema
test: add check for signers schema constraints
repos: verify signatures prior to checkout
keyhandler: cache gpg keys across invocations
Jan Kiszka (11):
repos: Warn about repos with branches but without commit or lock file
tests: Check if branch without commit warning works
dump: Use 2 spaces as indention in generated yaml
ci: Update actions
examples: Document a simpler way to disable layers in a repo
Dockerfile: Account for (first) dependency changes in forky
libkas: Properly convert error list to string prior to output
plugins/clean: Drop redundant parameters for ConfigFile.load
repos: git: Avoid checking out sha-like branches as commits
tests: Add checkout of sha-like branch and tag
Release 5.3
Jose Quaresma (1):
schema: switch default distro to nodistro
Khem Raj (1):
context: add Arch Linux to debian/ubuntu/gentoo locale group
Yasushi SHOJI (1):
docs: command-line: Clarify environment variable handling
[1] https://github.com/siemens/kas/security/advisories/GHSA-qjwp-hrq6-r26r
[2] https://github.com/siemens/kas/security/advisories/GHSA-4vqc-wpwg-vh7j
--
Siemens AG, Foundational Technologies
Linux Expert Center
Reply all
Reply to author
Forward
0 new messages