Workflow

Spiffe

Latest version: v0.1.5

Safety actively analyzes 714772 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 14 of 18

0.12.3

Added

- The `k8s-workload-registrar` now supports federation (2160)
- The `k8s_bundle` notifier plugin can now keep API service CA bundles up to date (2193)
- SPIRE Server internal cache reload timing can now be tuned (experimental) (2169)

Changed

- Prometheus metrics that are emitted infrequently will no longer disappear after emission (2239)
- The `k8s-workload-registrar` now uses paging to support very large deployments of 10,000+ pods (2227)

Fixed

- Fixed a bug that sometimes caused newly attested agents to not receive their full set of selectors (2242)
- Fixed several bugs related to the handling of SPIRE Server API paging (2251)

0.12.2

Added

- Added `aws_kms` server KeyManager plugin that uses the AWS Key Management Service (KMS) (2066)
- Added `gcp_cas` UpstreamAuthority plugin that uses the Certificate Authority Service from Google Cloud Platform (2172)
- Improved error returned during attestation of agents (2159)
- The `aws_iid` NodeAttestor plugin now supports running in a location with no public internet access available for the server (2119)
- The `k8s` notifier can now rotate Admission Controller Webhook CA Bundles (2022)
- Rate limiting on X.509 signing and JWT signing can now be disabled (2142)
- Added uptime metrics in server and agent (2032)
- Calls to KeyManager plugins now time out at 30 seconds (2044)
- Added logging when lookup of user by uid or group by gid fails in the `unix` WorkloadAttestor plugin (2048)

Changed

- The `k8s` WorkloadAttestor plugin now emits selectors for both image and image ID (2116)
- HTTP readiness endpoint on agent now checks the health of the Workload API (2015, 2087)
- SDS API in agent now returns an error if an SDS client requests resource names that don't exist (2020)
- Bundle and k8s-workload-registrar endpoints now only accept clients using TLS v1.2+ (2025)

Fixed

- Registration entry update handling in CRD mode of the k8s-workload-registrar to prevent unnecessary issuance of new SVIDs (2155)
- Failure to update CA bundle due to improper MySQL isolation level for read-modify-write operations (2150)
- Regression preventing agent selectors from showing in `spire-server agent show` command (2133)
- Issue in the token authentication method of the Vault Upstream Authority plugin (2110)
- Reporting of errors in server entry cache telemetry (2091)
- Agent logs an error and automatically shuts down when its SVID has expired, and it requires re-attestation (2065)

0.12.1

Security

- Fixed CVE-2021-27098
- Fixed CVE-2021-27099
- Fixed file descriptor leak in peertracker

0.12.0

Added

- Debug endpoints (1792)
- Agent support for SDS v3 API (1906)
- Improved metrics handling (1885, 1925, 1932)
- Significantly improved performance related to performing agent authorization lookups (1859, 1896, 1943, 1944, 1956)
- Database indexes to attested node columns (1912)
- Support for configuring Vault roles, namespaces, and re-authentication to the Vault UpstreamAuthority plugin (1871, 1981)
- Support for non-renewable Vault tokens to the Vault UpstreamAuthority plugin (1965)
- Delete mode for federated bundles to the bundle API (1897)
- The CLI now reads JSON from STDIN for entry create/update commands (1905)
- Support for multiple CA bundle files in x509pop (1949)
- Added `ExpiresAt` to `entry show` output (1973)
- Added `k8s_psat:agent_node_ip` selector (1979)

Changed

- The agent now shuts down when it is no longer attested (1797)
- Internals now rely on new server APIs (1849, 1878, 1907, 1908, 1909, 1913, 1947, 1982, 1998, 2001)
- Workload API now returns a standardized JWKS object (1904)
- Log message casing and punctuation are more consistent with project guidelines (1950, 1952)

Deprecated

- The Registration and Node APIs are deprecated, and a warning is logged on use (1997)
- The `registration_api` configuration section is deprecated in favor of `server_api` in the k8s-workload-registrar (2001)

Removed

- Removed some superfluous or otherwise unusable metrics and labels (1881, 1946, 2004)

Fixed

- Fixed CLI exit codes when entry create or update fails (1990)
- Fixed a bug that could cause external plugins to become orphaned processes after agent/server shutdown (1962)
- Fixed handling of the Vault PKI certificate chain (2012, 2017)
- Fixed a bug that could cause some gRPC libraries to fail to connect to the server over HTTP/2 (1968)
- Fixed Registration API to validate selector syntax (1919)

Security

- JWT-SVIDs that fail validation are no longer logged (1953)

0.11.3

Security

- Fixed CVE-2021-27098
- Fixed CVE-2021-27099
- Fixed file descriptor leak in peertracker

0.11.2

What's New

- Error messages related to a specific class of software bugs are now rate limited (1901)

What's Changed

- Fixed an issue in the Upstream Authority plugin that could result in a delay in the propagation of bundle updates/changes (1917)
- Fixed error messages when attestation is disabled (1899)
- Fixed some incorrectly-formatted log messages (1920)

Page 14 of 18

Links

Releases

Has known vulnerabilities

Previous Next

© 2025 Safety CLI Cybersecurity Inc. All Rights Reserved.