ostree v2022.5 and ostree-ext 0.8.1
- From: "Colin Walters" <walters verbum org>
- To: ostree-list <ostree-list gnome org>
- Subject: ostree v2022.5 and ostree-ext 0.8.1
- Date: Mon, 25 Jul 2022 14:37:27 -0400
https://github.com/ostreedev/ostree/releases/tag/v2022.5
This release fixes a denial of service security issue:
https://github.com/ostreedev/ostree/security/advisories/GHSA-gqf4-p3gv-g8vw
The core fix is in `sign/ed25519: Verify signatures are minimum length` in
83e6357186be11fb8f2a6b66fab3730c44ee59dd which should be an easily backportable commit. (There's some
further changes to add test coverage for this that can be ignored)
This only affects builds that use libsodium; it is however remotely reachable (assuming that the client is
talking to a compromised server; ordinarily exploiting this would require that or breaking TLS/https).
Thanks to @DemiMarie for the report!
Additional highlights are:
* Greatly improved performance for `ostree prune` on large repositories
* Support for in-place kargs changes
Thanks to everyone who contributed!
https://crates.io/crates/ostree-ext/0.8.1
This (along with the 0.8.0 release which I forgot to mention here) has changed the exported container stream
model; for more information on this, see https://github.com/ostreedev/ostree-rs-ext/pull/331
If you're using the container support, you should upgrade. As of right now, the new code still understands
the "v0" format; https://github.com/ostreedev/ostree-rs-ext/issues/332 tracks dropping that.
[Date Prev][Date Next] [Thread Prev][Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
