Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cmctl for openSUSE:Factory checked
in at 2022-11-22 16:09:59
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cmctl (Old)
and /work/SRC/openSUSE:Factory/.cmctl.new.1597 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cmctl"
Tue Nov 22 16:09:59 2022 rev:8 rq:1037127 version:1.10.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/cmctl/cmctl.changes 2022-10-18
12:45:54.061846834 +0200
+++ /work/SRC/openSUSE:Factory/.cmctl.new.1597/cmctl.changes 2022-11-22
16:10:08.518017513 +0100
@@ -1,0 +2,9 @@
+Mon Nov 21 14:38:43 UTC 2022 - ka...@b1-systems.de
+
+- Update to version 1.10.1:
+ * Fix typos in explanatory comment
+ * Always initialize tlsClientConfig if the default is nil
+ * Use RenegotiateOnceAsClient and explain why
+ * bump to latest go minor version to fix vulns
+
+-------------------------------------------------------------------
Old:
----
cert-manager-1.10.0.tar.gz
New:
----
cert-manager-1.10.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cmctl.spec ++++++
--- /var/tmp/diff_new_pack.f0h4u9/_old 2022-11-22 16:10:09.646023236 +0100
+++ /var/tmp/diff_new_pack.f0h4u9/_new 2022-11-22 16:10:09.650023256 +0100
@@ -21,7 +21,7 @@
%define archive_name cert-manager
Name: cmctl
-Version: 1.10.0
+Version: 1.10.1
Release: 0
Summary: CLI tool that can help you to manage cert-manager resources
inside your cluster
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.f0h4u9/_old 2022-11-22 16:10:09.690023459 +0100
+++ /var/tmp/diff_new_pack.f0h4u9/_new 2022-11-22 16:10:09.694023479 +0100
@@ -3,7 +3,7 @@
<param name="url">https://github.com/cert-manager/cert-manager</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
- <param name="revision">v1.10.0</param>
+ <param name="revision">v1.10.1</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="versionrewrite-pattern">v(.*)</param>
@@ -16,7 +16,7 @@
<param name="compression">gz</param>
</service>
<service name="go_modules" mode="disabled">
- <param name="archive">cert-manager-1.10.0.tar.gz</param>
+ <param name="archive">cert-manager-1.10.1.tar.gz</param>
</service>
</services>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.f0h4u9/_old 2022-11-22 16:10:09.722023621 +0100
+++ /var/tmp/diff_new_pack.f0h4u9/_new 2022-11-22 16:10:09.726023641 +0100
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/cert-manager/cert-manager</param>
- <param
name="changesrevision">da3265115bfd8be5780801cc6105fa857ef71965</param></service></servicedata>
+ <param
name="changesrevision">a96bae172ddb1fcd4b57f1859ab9d1a9e94f7451</param></service></servicedata>
(No newline at EOF)
++++++ cert-manager-1.10.0.tar.gz -> cert-manager-1.10.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cert-manager-1.10.0/make/tools.mk
new/cert-manager-1.10.1/make/tools.mk
--- old/cert-manager-1.10.0/make/tools.mk 2022-10-13 10:55:09.000000000
+0200
+++ new/cert-manager-1.10.1/make/tools.mk 2022-11-15 15:05:44.000000000
+0100
@@ -36,7 +36,7 @@
TOOLS += etcd=$(KUBEBUILDER_ASSETS_VERSION)
TOOLS += kube-apiserver=$(KUBEBUILDER_ASSETS_VERSION)
-VENDORED_GO_VERSION := 1.19.1
+VENDORED_GO_VERSION := 1.19.3
# When switching branches which use different versions of the tools, we
# need a way to re-trigger the symlinking from $(BINDIR)/downloaded to
$(BINDIR)/tools.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/cert-manager-1.10.0/pkg/issuer/venafi/client/venaficlient.go
new/cert-manager-1.10.1/pkg/issuer/venafi/client/venaficlient.go
--- old/cert-manager-1.10.0/pkg/issuer/venafi/client/venaficlient.go
2022-10-13 10:55:09.000000000 +0200
+++ new/cert-manager-1.10.1/pkg/issuer/venafi/client/venaficlient.go
2022-11-15 15:05:44.000000000 +0100
@@ -17,7 +17,11 @@
package client
import (
+ "crypto/tls"
+ "crypto/x509"
"fmt"
+ "net"
+ "net/http"
"time"
vcert "github.com/Venafi/vcert/v4"
@@ -135,28 +139,27 @@
username := string(tppSecret.Data[tppUsernameKey])
password := string(tppSecret.Data[tppPasswordKey])
accessToken := string(tppSecret.Data[tppAccessTokenKey])
- caBundle := string(tpp.CABundle)
return &vcert.Config{
ConnectorType: endpoint.ConnectorTypeTPP,
BaseUrl: tpp.URL,
Zone: venCfg.Zone,
// always enable verbose logging for now
- LogVerbose: true,
- ConnectionTrust: caBundle,
+ LogVerbose: true,
+ // We supply the CA bundle here, to trigger the vcert's
builtin
+ // validation of the supplied PEM content.
+ // This is somewhat redundant because the value (if
valid) will be
+ // ignored by vcert since we also supply a custom HTTP
client,
+ // below. But we want to retain the CA bundle
validation errors that
+ // were returned in previous versions of this code.
+ //
https://github.com/Venafi/vcert/blob/89645a7710a7b529765274cb60dc5e28066217a1/client.go#L55-L61
+ ConnectionTrust: string(tpp.CABundle),
Credentials: &endpoint.Authentication{
User: username,
Password: password,
AccessToken: accessToken,
},
- // this is needed for local development when tunneling
to the TPP server
- //Client: &http.Client{
- // Transport: &http.Transport{
- // TLSClientConfig: &tls.Config{
- // Renegotiation:
tls.RenegotiateOnceAsClient,
- // },
- // },
- //},
+ Client: httpClientForVcertTPP(tpp.CABundle),
}, nil
case venCfg.Cloud != nil:
cloud := venCfg.Cloud
@@ -187,6 +190,84 @@
return nil, fmt.Errorf("neither Venafi Cloud or TPP configuration
found")
}
+// httpClientForVcertTPP creates an HTTP client and customises it to allow
client TLS renegotiation.
+//
+// Here's why:
+//
+// 1. The TPP API server is served by Microsoft Windows Server and IIS.
+// 2. IIS uses TLS-1.2 by default[1] and it uses a
+// TLS-1.2 feature called "renegotiation" to allow client certificate
+// settings to be configured at the folder level. e.g.
+// https://tpp.example.com/vedauth may Require or Accept client
+// certificates while https://tpp.example.com/vedsdk may Ignore
+// client certificates.
+// 3. When IIS is configured this way it behaves as follows[2]:
+// "Server receives a connection request on port 443; it begins a
+// handshake. The server does not ask for a client certificate. Once
+// the handshake is completed, the client sends the actual target URL
+// as a HTTP request in the SSL tunnel. Up to that point, the server
+// did not know which page was targeted; it only knew, at best, the
+// intended server name (through the Server Name Indication). Now
+// that the server knows which page is targeted, he knows which
+// "site" (i.e. part of the server, in IIS terminology) is to be
+// used."
+// 4. In this scenario, the Go HTTP client MUST be configured to
+// renegotiate (by default it will refuse to renegotiate).
+// We use RenegotiateOnceAsClient rather than RenegotiateFreelyAsClient
+// because cert-manager establishes a new HTTPS connection for each API
+// request and therefore should only ever need to renegotiate once in this
+// scenario.
+// 5. But overriding the HTTP client causes vcert to ignore the
+// `vcert.Config.ConnectionTrust` field, so we also have to set up the root
+// CA trust pool ourselves.
+// 6. And the value of RootCAs MUST be nil unless the user has supplied a
+// custom CA, because a nil value causes the Go HTTP client to load the
+// system default root CAs.
+//
+// [1] TLS protocol version support in Microsoft Windows:
https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-#tls-protocol-version-support
+// [2] Should I use SSL/TLS renegotiation?:
https://security.stackexchange.com/a/24569
+func httpClientForVcertTPP(caBundle []byte) *http.Client {
+ // Copy vcert's default HTTP transport, which is mostly identical to the
+ // http.DefaultTransport settings in Go's stdlib.
+ //
https://github.com/Venafi/vcert/blob/89645a7710a7b529765274cb60dc5e28066217a1/pkg/venafi/tpp/tpp.go#L481-L513
+ transport := &http.Transport{
+ Proxy: http.ProxyFromEnvironment,
+ DialContext: (&net.Dialer{
+ Timeout: 30 * time.Second,
+ KeepAlive: 30 * time.Second,
+ // Note: This DualStack setting is copied from vcert but
+ // deviates from the http.DefaultTransport in Go's
stdlib.
+ DualStack: true,
+ }).DialContext,
+ MaxIdleConns: 100,
+ IdleConnTimeout: 90 * time.Second,
+ TLSHandshakeTimeout: 10 * time.Second,
+ ExpectContinueTimeout: 1 * time.Second,
+ }
+
+ // Copy vcert's initialization of the TLS client config
+ tlsClientConfig :=
http.DefaultTransport.(*http.Transport).TLSClientConfig.Clone()
+ if tlsClientConfig == nil {
+ tlsClientConfig = &tls.Config{}
+ }
+ if len(caBundle) > 0 {
+ rootCAs := x509.NewCertPool()
+ rootCAs.AppendCertsFromPEM(caBundle)
+ tlsClientConfig.RootCAs = rootCAs
+ }
+ transport.TLSClientConfig = tlsClientConfig
+
+ // Enable TLS 1.2 renegotiation (see earlier comment for justification).
+ transport.TLSClientConfig.Renegotiation = tls.RenegotiateOnceAsClient
+
+ // Copy vcert's initialization of the HTTP client, which overrides the
default timeout.
+ //
https://github.com/Venafi/vcert/blob/89645a7710a7b529765274cb60dc5e28066217a1/pkg/venafi/tpp/tpp.go#L481-L513
+ return &http.Client{
+ Transport: transport,
+ Timeout: time.Second * 30,
+ }
+}
+
func (v *Venafi) Ping() error {
return v.vcertClient.Ping()
}
++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/cmctl/vendor.tar.gz
/work/SRC/openSUSE:Factory/.cmctl.new.1597/vendor.tar.gz differ: char 5, line 1
