Skip to content

v2.3.3

Latest

Choose a tag to compare

@lsviben lsviben released this 22 Jun 12:08
Immutable release. Only release title and notes can be modified.
fcf6aaa

🎉 Highlights

  • Fixed package signature verification TOCTOU (GHSA-mf7q-r4rv-jv94): A time-of-check-to-time-of-use flaw would let a malicious OCI registry serve a correctly signed image for verification and then an unsigned image for installation, because Crossplane resolved tag references separately for each step. Crossplane now resolves a tag to a digest once and uses that same digest for both signature verification and the image pull, so the content that is verified is exactly the content that is installed. This affected only users who enable package signature verification, install packages by tag, and pull from registries they don't control. Installing by digest would avoid this issue. Backported in #1038, and reported independently by @bugbunny-research and @tonghuaroot.
    • Note this fix appears in crossplane for v2.2 and crossplane-runtime for v2.3 because the affected code was moved from crossplane to crossplane-runtime during the v2.3 milestone.

What's Changed

  • Backport xpkg verification fix to release-2.3 by @adamwg in #1038
  • [release-2.3] fix(deps): bump k8schain to pick up moby module migration by @lsviben in #1040

Full Changelog: v2.3.2...v2.3.3