Skip to content

Releases: spiffe/spire

v1.13.2

08 Oct 12:52
b888739
Compare
Choose a tag to compare

Security

  • Upgrade Go to 1.25.2 to address CVE-2025-58187, CVE-2025-61723, CVE-2025-47912, CVE-2025-58185, and CVE-2025-58188 (#6363)

v1.12.6

08 Oct 13:06
b00ff78
Compare
Choose a tag to compare

Security

  • Upgrade Go to 1.24.8 to address CVE-2025-58187, CVE-2025-61723, CVE-2025-47912, CVE-2025-58185, and CVE-2025-58188 (#6363)

v1.13.1

18 Sep 18:36
e5ff106
Compare
Choose a tag to compare

Added

  • aws_iid NodeAttestor can now verify that nodes belong to specified EKS clusters (#5969)
  • The server now supports configuring how long to cache attested node information, reducing node fetch dependency for RPCs (#6176)
  • aws_s3, gcp_cloudstorage, and k8s_configmap BundlePublisher plugins now support setting a refresh hint for the published bundle (#6276)

Changed

  • The "Subscribing to cache changes" log message from the DelegatedIdentity agent API is now logged at Debug level (#6255)
  • Integration tests now exercise currently supported Postgres versions (#6275)
  • Minor documentation improvements (#6280, #6293, #6296)

Fixed

  • spire-server entry delete CLI command now properly displays results when no failures are involved (#6176)

Security

  • Fixed agent name length validation in the http_challenge NodeAttestor plugin, to prevent issues with web servers that cannot handle very large URLs (#6324)

v1.12.5

18 Aug 18:03
81916a4
Compare
Choose a tag to compare

Security

  • Upgrade Go to 1.24.6 for GO-2025-3849 (#6250)

v1.13.0

15 Aug 18:40
c256da6
Compare
Choose a tag to compare

Added:

  • Server configurable for periodically purging expired agents (#6152)
  • The experimental events-based cache now implements a full cache reload (#6151)
  • Support for automatic agent rebootstrap when the server CA goes invalid (#5892)

Changed:

  • Default values for rebootstrapMode and rebootstrapDelay in SPIRE Agent (#6227)
  • "No identities issued" error log now includes the attested selectors (#6179)
  • Server configuration validation to verify agent_ttl compatibility with current ca_ttl (#6178)
  • Small documentation improvements (#6169)

Deprecated:

  • retry_bootstrap experimental agent setting (#5906)

Fixed:

  • Health checks and metrics initialization when retry_bootstrap is enabled (#6164)

Removed:

  • The deprecated use_legacy_downstream_x509_ca_ttl server configurable (#5703)
  • The deprecated use_rego_v1 server configurable (#6219)

v1.12.4

01 Jul 21:39
2433513
Compare
Choose a tag to compare

Added

  • k8s_configmap BundlePublisher plugin (#6105, #6139)
  • UpstreamAuthority.SubscribeToLocalBundle RPC to stream updates in the local trust bundle (#6090)
  • Integration tests running on ARM64 platform (#6059)
  • The OIDC Discovery Provider can now read the trust bundle from a file (#6025)

Changed

  • The "Container id not found" log message in the k8s WorkloadAttestor has been lowered to Debug level (#6128)
  • Improvements in lookup performance for entries (#6100, #6034)
  • Agent no longer pulls the bundle from trust_bundle_url if it is not required (#6065)

Fixed

  • The subject_types_supported value in the discovery document is now properly populated by the OIDC Discovery Provider (#6126)
  • SPIRE Server gRPC servers are now gracefully stopped (#6076)

v1.12.3

17 Jun 21:39
Compare
Choose a tag to compare

Security

  • Fixed an issue in spire-agent where the WorkloadAPI.ValidateJWTSVID endpoint did not enforce the presence of the exp (expiration) claim in JWT-SVIDs, as required by the SPIFFE specification.
    This vulnerability has limited impact: by default, SPIRE does not issue JWT-SVIDs without an expiration claim. Exploitation would require federating with a misconfigured or non-compliant trust domain.
    Thanks to Edoardo Geraci for reporting this issue.

v1.11.3

17 Jun 20:49
Compare
Choose a tag to compare

Security

  • Fixed an issue in spire-agent where the WorkloadAPI.ValidateJWTSVID endpoint did not enforce the presence of the exp (expiration) claim in JWT-SVIDs, as required by the SPIFFE specification.
    This vulnerability has limited impact: by default, SPIRE does not issue JWT-SVIDs without an expiration claim. Exploitation would require federating with a misconfigured or non-compliant trust domain.
    Thanks to Edoardo Geraci for reporting this issue.

v1.12.2

19 May 17:21
a774de4
Compare
Choose a tag to compare

Fixed

  • Regression where PolicyCredentials set by CredentialComposer plugins were not correctly applied to CA certificates. (#6074)

v1.12.1

07 May 15:40
162778a
Compare
Choose a tag to compare

Added

  • Support for Unix sockets in trust bundle URLs (#5932)
  • Documentation improvements and additions (#5989, #6012)

Changed

  • sql_transaction_timeout replaced by event_timeout and value reduced to 15 minutes (#5966)
  • Experimental events-based cache performance improvements by batch fetching updated entries (#5970)
  • Improved error messages when retrieving CGroups (#6030)

Fixed

  • Corrected invalid user-agent value in OIDC Discovery Provider debug logs (#5981)