🎉 Highlights
- Fixed package signature verification TOCTOU (
GHSA-mf7q-r4rv-jv94): A time-of-check-to-time-of-use flaw would let a malicious OCI registry serve a correctly signed image for verification and then an unsigned image for installation, because Crossplane resolved tag references separately for each step. Crossplane now resolves a tag to a digest once and uses that same digest for both signature verification and the image pull, so the content that is verified is exactly the content that is installed. This affected only users who enable package signature verification, install packages by tag, and pull from registries they don't control. Installing by digest would avoid this issue. Backported in #1038, and reported independently by @bugbunny-research and @tonghuaroot.- Note this fix appears in
crossplanefor v2.2 andcrossplane-runtimefor v2.3 because the affected code was moved fromcrossplanetocrossplane-runtimeduring the v2.3 milestone.
- Note this fix appears in
What's Changed
- Backport xpkg verification fix to release-2.3 by @adamwg in #1038
- [release-2.3] fix(deps): bump k8schain to pick up moby module migration by @lsviben in #1040
Full Changelog: v2.3.2...v2.3.3