Releases: spiffe/spire
Releases · spiffe/spire
v1.13.2
v1.12.6
v1.13.1
Added
aws_iid
NodeAttestor can now verify that nodes belong to specified EKS clusters (#5969)- The server now supports configuring how long to cache attested node information, reducing node fetch dependency for RPCs (#6176)
aws_s3
,gcp_cloudstorage
, andk8s_configmap
BundlePublisher plugins now support setting a refresh hint for the published bundle (#6276)
Changed
- The "Subscribing to cache changes" log message from the DelegatedIdentity agent API is now logged at Debug level (#6255)
- Integration tests now exercise currently supported Postgres versions (#6275)
- Minor documentation improvements (#6280, #6293, #6296)
Fixed
spire-server entry delete
CLI command now properly displays results when no failures are involved (#6176)
Security
- Fixed agent name length validation in the
http_challenge
NodeAttestor plugin, to prevent issues with web servers that cannot handle very large URLs (#6324)
v1.12.5
v1.13.0
Added:
- Server configurable for periodically purging expired agents (#6152)
- The experimental events-based cache now implements a full cache reload (#6151)
- Support for automatic agent rebootstrap when the server CA goes invalid (#5892)
Changed:
- Default values for
rebootstrapMode
andrebootstrapDelay
in SPIRE Agent (#6227) - "No identities issued" error log now includes the attested selectors (#6179)
- Server configuration validation to verify
agent_ttl
compatibility with currentca_ttl
(#6178) - Small documentation improvements (#6169)
Deprecated:
retry_bootstrap
experimental agent setting (#5906)
Fixed:
- Health checks and metrics initialization when
retry_bootstrap
is enabled (#6164)
Removed:
v1.12.4
Added
k8s_configmap
BundlePublisher plugin (#6105, #6139)- UpstreamAuthority.SubscribeToLocalBundle RPC to stream updates in the local trust bundle (#6090)
- Integration tests running on ARM64 platform (#6059)
- The OIDC Discovery Provider can now read the trust bundle from a file (#6025)
Changed
- The "Container id not found" log message in the
k8s
WorkloadAttestor has been lowered to Debug level (#6128) - Improvements in lookup performance for entries (#6100, #6034)
- Agent no longer pulls the bundle from
trust_bundle_url
if it is not required (#6065)
Fixed
v1.12.3
Security
- Fixed an issue in spire-agent where the WorkloadAPI.ValidateJWTSVID endpoint did not enforce the presence of the exp (expiration) claim in JWT-SVIDs, as required by the SPIFFE specification.
This vulnerability has limited impact: by default, SPIRE does not issue JWT-SVIDs without an expiration claim. Exploitation would require federating with a misconfigured or non-compliant trust domain.
Thanks to Edoardo Geraci for reporting this issue.
v1.11.3
Security
- Fixed an issue in spire-agent where the WorkloadAPI.ValidateJWTSVID endpoint did not enforce the presence of the exp (expiration) claim in JWT-SVIDs, as required by the SPIFFE specification.
This vulnerability has limited impact: by default, SPIRE does not issue JWT-SVIDs without an expiration claim. Exploitation would require federating with a misconfigured or non-compliant trust domain.
Thanks to Edoardo Geraci for reporting this issue.
v1.12.2
v1.12.1
Added
- Support for Unix sockets in trust bundle URLs (#5932)
- Documentation improvements and additions (#5989, #6012)
Changed
sql_transaction_timeout
replaced byevent_timeout
and value reduced to 15 minutes (#5966)- Experimental events-based cache performance improvements by batch fetching updated entries (#5970)
- Improved error messages when retrieving CGroups (#6030)
Fixed
- Corrected invalid
user-agent
value in OIDC Discovery Provider debug logs (#5981)