Skip to content

v4.2.0

Latest
Latest

Choose a tag to compare

View all tags
@jku jku released this 26 Jan 15:00
· 15 commits to main since this release
v4.2.0
94818e4
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

This release fixes a minor security issue in OIDC authentication and a compatibility issue with Fulcio Signed Certificate Timestamps. All users are recommended to upgrade.

Fixed

  • Add state validation to OIDC flow to prevent Cross-site request forgery
    during OIDC authorization
    (GHSA-hm8f-75xx-w2vr)
  • verification now ensures that artifact digest documented in bundle and the real digest match
    (this is a bundle consistency check: bundle signature was always verified over real digest)
    (#1652)
  • Fix issue with Signed Certificate Timestamp parsing where extensions
    were not allowed by sigstore-python
    (1657, 1659)

Changed

  • Update supported public key algorithms
    (#1604)
  • trust: Update embedded TUF root
    (#1589)

Removed

  • Removed support for Python 3.9 as it is end-of-life
    (#1645)
  • Removed unused nonce in Oauth flow
    (#1649)
Assets 4
Loading