Releases: spiffe/spire
Releases · spiffe/spire
v1.8.4
Security
- Updated to Go 1.21.4 to address CVE-2023-45283, CVE-2023-45284
v1.7.5
Security
- Updated to Go 1.20.11 to address CVE-2023-45283, CVE-2023-45284
v1.8.3
Added
- SPIRE Agent distributes sync requests to the SPIRE server to mitigate thundering herd situations (#4534)
- Allow configuring prefixes for all metrics (#4535)
- Documentation improvements (#4579, #4569)
Changed
- SPIRE Agent performs the initial sync more aggressively when tuned with a longer sync interval (#4479)
Fixed
v1.8.2
Security
- Updated to google.golang.org/grpc v1.58.3 and golang.org/x/net v0.17.0 to address CVE-2023-39325, CVE-2023-44487
v1.7.4
Security
- Updated to google.golang.org/grpc v1.58.3 and golang.org/x/net v0.17.0 to address CVE-2023-39325, CVE-2023-44487
v1.8.1
Security
- Updated to Go 1.21.3 to address CVE-2023-39325, CVE-2023-44487
v1.7.3
Security
- Updated to Go 1.20.10 to address CVE-2023-39325, CVE-2023-44487
v1.8.0
Added
azure_key_vault
KeyManager plugin (#4458)- Server configuration to set refresh hint of local bundle (#4400)
- Support for batch entry deletion in
spire-server
CLI (#4371) aws_iid
NodeAttestor can now be used in AWS Gov Cloud and China regions (#4427)status_code
andstatus_message
fields in SPIRE Agent logs on gRPC errors (#4262)
Changed
- Bundle server configuration is now organized by endpoint profiles (#4476)
- Release artifacts are now statically linked with musl rather than glibc (#4491)
- Agent no longer requests unused SVIDs for node aliases they belong to, reducing server signing load (#4467)
- Entry IDs can now be optionally set by the client for BatchCreateEntry requests (#4477)
Fixed
- Concurrent workload attestation using
systemd
plugin (#4360) - Bug in
k8s
WorkloadAttestor plugin that failed attestation in some scenarios (#4468) - Server can now be run on Linux arm64 when using SQLite (#4491)
Removed
v1.7.2
Added
aws_s3
BundlePublisher plugin (#4355)- SPIRE Server bundle endpoint now includes bundle sequence number (#4389)
- Telemetry in experimental Agent LRU cache (#4335)
- Telemetry in Agent Delegated Identity API (#4399)
- Documentation improvements (#4336, #4407)
Fixed
- Server no longer unnecessarily activates its CA a second time on startup (#4368)
v1.7.1
Added
- x509pop node attestor emits a new selector with the leaf certificate serial number (#4216)
- HTTPS server in the OIDC Discovery Provider can now be configured to use a certificate file (#4190)
- Option to log source information in server and agent logs (#4246)
Changed
- Agent now has an exponential backoff strategy when syncing with the server (#4279)
Fixed
- Regression causing X509 CAs minted by an UpstreamAuthority plugin to be rejected if they have the digitalSignature key usage set (#4352)
- SPIRE Agent cache bug resulting in workloads receiving JWT-SVIDs with incomplete audience set (#4309)
- The
spire-server agent show
command to properly show the "Can re-attest" attribute (#4288)