- Updated to Go 1.18.8 to address CVE-2022-41716. This vulnerability only affects users configuring external Server or Agent plugins on Windows.
1.3.5
Security
- Updated minimum TLS version to 1.2 for the k8s-workload-registrar CRD mode webhook and the oidc-discovery-provider when using ACME
1.3.4
Security
- Updated to Go 1.18.6 to address CVE-2022-27664
1.3.3
Security
- Updated to Go 1.18.4 to address CVE-2022-1705, CVE-2022-32148, CVE-2022-30631, CVE-2022-30633, CVE-2022-28131, CVE-2022-30635, CVE-2022-30632, CVE-2022-30630, and CVE-2022-1962.
1.3.2
Added
- Support for K8s workload attestation when the Kubelet is run as a standalone component (3163) - Optional health check endpoints to the OIDC Discovery Provider (3151) - Pagination support to the server `entry show` command (3135)
Fixed
- A regression in workload SVID minting that caused DNS names not to be set in the SVID (3215) - A regression in the server that caused a panic instead of a clean shutdown if a plugin was misconfigured (3166)
Changed
- Directories for UDS endpoints are no longer created by SPIRE on Windows (3192)
1.3.1
Added
- The `windows` workload attestor gained a new `sha256` selector that can attest the SHA256 digest of the workload binary (3100)
Fixed
- Database rows related to registration entries are now properly removed (3127, 3132) - Agent reduces bandwidth use by requesting only required information when syncing with the server (3123) - Issue with read-modify-write operations when using PostgreSQL datastore in hot standby mode (3103)
Changed
- FetchX509Bundles RPC no longer sends spurious updates that contain no changes (3102) - Warn if the built-in `join_token` node attestor is attempted to be overridden by an external plugin (3045) - Database connections are now proactively closed when SPIRE server is shut down (3047)