Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Tags: andrewl3wis/spire

Tags

v1.13.3

Toggle v1.13.3's commit message 
v1.13.3

Added:
- X.509 CA metric with absolute expiration time in addition to TTL-based metric (spiffe#6303)
- `spire-agent` configuration to source join tokens from files to support integration with third-party credential providers (spiffe#6330)
- Capability to filter on caller path in `spire-server` Rego authorization policies (spiffe#6320)

Changed:

- `spire-server` will use the SHA-256 algorithm for X.509-SVID Subject Key Identifiers when the `GODEBUG` environment variable contains `fips140=only` (spiffe#6294)
- Attested node entries are now purged at a fixed interval with jitter (spiffe#6315)
- `oidc-discovery-provider` now fails to initialize when started with unrecognized arguments (spiffe#6297)

Fixed:
- Documentation fixes (spiffe#6309, spiffe#6323, spiffe#6377)

v1.13.2

Toggle v1.13.2's commit message 
v1.13.2

Security

- Upgrade Go to 1.25.2 to address CVE-2025-58187, CVE-2025-61723, CVE-2025-47912, CVE-2025-58185, and CVE-2025-58188 (spiffe#6363)

v1.12.6

Toggle v1.12.6's commit message 
v1.12.6

Security

- Upgrade Go to 1.25.2 to address CVE-2025-58187, CVE-2025-61723, CVE-2025-47912, CVE-2025-58185, and CVE-2025-58188 (spiffe#6363)

v1.13.1

Toggle v1.13.1's commit message 
v1.13.1

Added:
- `aws_iid` NodeAttestor can now verify that nodes belong to specified EKS clusters (spiffe#5969)
- The server now supports configuring how long to cache attested node information, reducing node fetch dependency for RPCs (spiffe#6176)
- `aws_s3`, `gcp_cloudstorage`, and `k8s_configmap` BundlePublisher plugins now support setting a refresh hint for the published bundle (spiffe#6276)

Changed:
- The "Subscribing to cache changes" log message from the DelegatedIdentity agent API is now logged at Debug level (spiffe#6255)
- Integration tests now exercise currently supported Postgres versions (spiffe#6275)
- Minor documentation improvements (spiffe#6280, spiffe#6293, spiffe#6296)

Fixed:
- `spire-server entry delete` CLI command now properly displays results when no failures are involved (spiffe#6176)

Security:
- Fixed agent name length validation in the `http_challenge` NodeAttestor plugin, to prevent issues with web servers that cannot handle very large URLs (spiffe#6324)

v1.12.5

Toggle v1.12.5's commit message 
v1.12.5

Security
    Upgrade Go to 1.24.6 for GO-2025-3849 (spiffe#6250)

v1.13.0

Toggle v1.13.0's commit message 
v1.13.0

Added:
- Server configurable for periodically purging expired agents (spiffe#6152)
- The experimental events-based cache now implements a full cache reload (spiffe#6151)
- Support for automatic agent rebootstrap when the server CA goes invalid (spiffe#5892)

Changed:
- Default values for `rebootstrapMode` and `rebootstrapDelay` in SPIRE Agent (spiffe#6227)
- "No identities issued" error log now includes the attested selectors (spiffe#6179)
- Server configuration validation to verify `agent_ttl` compatibility with current `ca_ttl` (spiffe#6178)
- Small documentation improvements (spiffe#6169)

Deprecated:
- `retry_bootstrap` experimental agent setting (spiffe#5906)

Fixed:
- Health checks and metrics initialization when `retry_bootstrap` is enabled (spiffe#6164)

Removed:
- The deprecated `use_legacy_downstream_x509_ca_ttl` server configurable (spiffe#5703)
- The deprecated `use_rego_v1` server configurable (spiffe#6219)

v1.12.4

Toggle v1.12.4's commit message 
v1.12.4

Added

- `k8s_configmap` BundlePublisher plugin (spiffe#6105, spiffe#6139)
- UpstreamAuthority.SubscribeToLocalBundle RPC to stream updates in the local trust bundle (spiffe#6090)
- Integration tests running on ARM64 platform (spiffe#6059)
- The OIDC Discovery Provider can now read the trust bundle from a file (spiffe#6025)

Changed

- The "Container id not found" log message in the `k8s` WorkloadAttestor has been lowered to Debug level (spiffe#6128)
- Improvements in lookup performance for entries (spiffe#6100, spiffe#6034)
- Agent no longer pulls the bundle from `trust_bundle_url` if it is not required (spiffe#6065)

Fixed

- The `subject_types_supported` value in the discovery document is now properly populated by the OIDC Discovery Provider (spiffe#6126)
- SPIRE Server gRPC servers are now gracefully stopped (spiffe#6076)

v1.12.3

Toggle v1.12.3's commit message 
v1.12.3

Security

- Fixed an issue in spire-agent where the WorkloadAPI.ValidateJWTSVID endpoint did not enforce the presence of the exp (expiration) claim in JWT-SVIDs, as required by the SPIFFE specification.
This vulnerability has limited impact: by default, SPIRE does not issue JWT-SVIDs without an expiration claim. Exploitation would require federating with a misconfigured or non-compliant trust domain.
Thanks to Edoardo Geraci for reporting this issue.

v1.11.3

Toggle v1.11.3's commit message 
v1.11.3

Security

- Fixed an issue in spire-agent where the WorkloadAPI.ValidateJWTSVID endpoint did not enforce the presence of the exp (expiration) claim in JWT-SVIDs, as required by the SPIFFE specification.
This vulnerability has limited impact: by default, SPIRE does not issue JWT-SVIDs without an expiration claim. Exploitation would require federating with a misconfigured or non-compliant trust domain.
Thanks to Edoardo Geraci for reporting this issue.

v1.12.2

Toggle v1.12.2's commit message 
v1.12.2

Fixed
- Regression where PolicyCredentials set by CredentialComposer plugins were not correctly applied to CA certificates. (spiffe#6074)