- Updated to Go 1.21.9 to address CVE-2023-45288

- Limit the preallocation of memory when making paginated requests to the ListEntries and ListAgents RPCs - Bump to v1.9.3 - Update CHANGELOG Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
Use cosign v2.2.3 (#5015 )
2024-04-04 17:42:49 -03:00 · 2024-03-25 14:40:26 -06:00 · 2024-03-25 12:27:55 -06:00
10 changed files with 55 additions and 29 deletions
--- a/.github/workflows/nightly_build.yaml
+++ b/.github/workflows/nightly_build.yaml
@ -17,16 +17,13 @@ jobs:
      id-token: write
      packages: write

-    env:
-      COSIGN_EXPERIMENTAL: 1
-
    steps:
      - name: Checkout
        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
      - name: Install cosign
        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
        with:
-          cosign-release: v1.13.1
+          cosign-release: v2.2.3
      - name: Install regctl
        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
      - name: Build images
--- a/.github/workflows/pr_build.yaml
+++ b/.github/workflows/pr_build.yaml
@ -3,7 +3,7 @@ on:
  pull_request: {}
  workflow_dispatch: {}
 env:
-  GO_VERSION: 1.21.8
+  GO_VERSION: 1.21.9
 permissions:
  contents: read

--- a/.github/workflows/release_build.yaml
+++ b/.github/workflows/release_build.yaml
@ -4,7 +4,7 @@ on:
    tags:
      - 'v[0-9].[0-9]+.[0-9]+'
 env:
-  GO_VERSION: 1.21.8
+  GO_VERSION: 1.21.9
 jobs:
  cache-deps:
    name: cache-deps (linux)
@ -587,16 +587,13 @@ jobs:
      id-token: write
      packages: write

-    env:
-      COSIGN_EXPERIMENTAL: 1
-
    steps:
      - name: Checkout
        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
      - name: Install cosign
        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
        with:
-          cosign-release: v1.13.1
+          cosign-release: v2.2.3
      - name: Install regctl
        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
      - name: Download archived images
--- a/.github/workflows/scripts/push-images.sh
+++ b/.github/workflows/scripts/push-images.sh
@ -68,5 +68,5 @@ for img in "${OCI_IMAGES[@]}"; do

  image_digest="$(jq -r '.manifests[0].digest' "${ROOTDIR}oci/${img}/index.json")"

-  cosign sign "${registry}/${img}@${image_digest}"
+  cosign sign -y "${registry}/${img}@${image_digest}"
 done
--- a/.go-version
+++ b/.go-version
@ -1 +1 @@
-1.21.8
+1.21.9
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,22 @@
 # Changelog

+## [1.9.3] - 2024-04-03
+
+### Security
+
+- Updated to Go 1.21.9 to address CVE-2023-45288
+- Limit the preallocation of memory when making paginated requests to the ListEntries and ListAgents RPCs
+
+## [1.9.2] - 2024-03-25
+
+### Added
+
+- Support for AWS IAM-based authentication with AWS RDS backed databases (#4828)
+- Support for adjusting the SPIRE Server log level at runtime (#4880)
+- New `retry_bootstrap` option to SPIRE Agent to retry failed bootstrapping with SPIRE Server, with a backoff, in lieu of failing the startup process (#4597)
+- Improved logging (#4902, #4906)
+- Documentation improvements (#4895, #4951, #4907)
+
 ## [1.9.1] - 2024-03-05

 ### Security
@ -42,6 +59,13 @@

 - X509-SVIDs issued by the server no longer have the x509UniqueIdentifier attribute as part of the subject (#4862)

+## [1.8.9] - 2024-04-03
+
+### Security
+
+- Updated to Go 1.21.9 to address CVE-2023-45288
+- Limit the preallocation of memory when making paginated requests to the ListEntries and ListAgents RPCs
+
 ## [1.8.8] - 2024-03-05

 ### Security
--- a/pkg/common/version/version.go
+++ b/pkg/common/version/version.go
@ -8,7 +8,7 @@ const (
 	// IMPORTANT: When updating, make sure to reconcile the versions list that
 	// is part of the upgrade integration test. See
 	// test/integration/suites/upgrade/README.md for details.
-	Base = "1.9.2"
+	Base = "1.9.3"
 )

 var (
--- a/pkg/server/datastore/sqlstore/migration.go
+++ b/pkg/server/datastore/sqlstore/migration.go
@ -216,10 +216,16 @@ import (
 // | v1.8.7  |        |                                                                           |
 // |---------|        |                                                                           |
 // | v1.8.8  |        |                                                                           |
+// |---------|        |                                                                           |
+// | v1.8.9  |        |                                                                           |
 // |*********|********|***************************************************************************|
 // | v1.9.0  |        |                                                                           |
 // |---------|        |                                                                           |
 // | v1.9.1  |        |                                                                           |
+// |---------|        |                                                                           |
+// | v1.9.2  |        |                                                                           |
+// |---------|        |                                                                           |
+// | v1.9.3  |        |                                                                           |
 // ================================================================================================

 const (
--- a/pkg/server/datastore/sqlstore/sqlstore.go
+++ b/pkg/server/datastore/sqlstore/sqlstore.go
@ -64,6 +64,9 @@ const (

 	// PostgreSQL database type provided by an AWS service
 	AWSPostgreSQL = "aws_postgres"
+
+	// Maximum size for preallocation in a paginated request
+	maxResultPreallocation = 1000
 )

 // Configuration for the sql datastore implementation.
@ -1691,13 +1694,7 @@ func listAttestedNodesOnce(ctx context.Context, db *sqlDB, req *datastore.ListAt
 	}
 	defer rows.Close()

-	var nodes []*common.AttestedNode
-	if req.Pagination != nil {
-		nodes = make([]*common.AttestedNode, 0, req.Pagination.PageSize)
-	} else {
-		nodes = make([]*common.AttestedNode, 0, 64)
-	}
-
+	nodes := make([]*common.AttestedNode, 0, calculateResultPreallocation(req.Pagination))
 	pushNode := func(node *common.AttestedNode) {
 		if node != nil && node.SpiffeId != "" {
 			nodes = append(nodes, node)
@ -2758,15 +2755,7 @@ func listRegistrationEntriesOnce(ctx context.Context, db queryContext, databaseT
 	}
 	defer rows.Close()

-	var entries []*common.RegistrationEntry
-	if req.Pagination != nil {
-		entries = make([]*common.RegistrationEntry, 0, req.Pagination.PageSize)
-	} else {
-		// start the slice off with a little capacity to avoid the first few
-		// reallocations
-		entries = make([]*common.RegistrationEntry, 0, 64)
-	}
-
+	entries := make([]*common.RegistrationEntry, 0, calculateResultPreallocation(req.Pagination))
 	pushEntry := func(entry *common.RegistrationEntry) {
 		// Due to previous bugs (i.e. #1191), there can be cruft rows related
 		// to a deleted registration entries that are fetched with the list
@ -4645,3 +4634,14 @@ func isPostgresDbType(dbType string) bool {
 func isSQLiteDbType(dbType string) bool {
 	return dbType == SQLite
 }
+
+func calculateResultPreallocation(pagination *datastore.Pagination) int32 {
+	switch {
+	case pagination == nil:
+		return 64
+	case pagination.PageSize < maxResultPreallocation:
+		return pagination.PageSize
+	default:
+		return maxResultPreallocation
+	}
+}
--- a/test/integration/suites/upgrade/versions.txt
+++ b/test/integration/suites/upgrade/versions.txt
@ -7,5 +7,7 @@
 1.8.6
 1.8.7
 1.8.8
+1.8.9
 1.9.0
 1.9.1
+1.9.2
 @ -1 +1 @@
 .21.8
 .21.9