| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| cherry-pick/1619791926.v9-1-g5482313.fix-generation-of-new-keys-when-no-keys-are-available.patch | Fix generation of new keys when no keys are available When no keys are available, tang creates a new pair of keys, however currently it checks the total number of keys, including rotated keys, to decide whether to create new keys. So not to have issues when all the keys have been rotated, let's check instead the total number of "regular" keys, the ones that will be advertised, and if there are none, then tang can create new keys. This fixes an issue when we do have all keys rotated. Tests added as well. |
no | v9-1-g5482313 <https://github.com/latchset/tang/commit/v9-1-g5482313> | 2021-04-30 | ||
| cherry-pick/1619793024.v9-2-gafb6055.keys-fix-signature-generation.patch | Keys: fix signature generation No need to create and pass an array with our template option. This was causing issues when we had multiple (>2) pairs of keys. Tests added to cover this scenario. |
no | v9-2-gafb6055 <https://github.com/latchset/tang/commit/v9-2-gafb6055> | 2021-04-30 | ||
| cherry-pick/1619654056.v9-3-g69b47ce.tests-unify-tests.patch | Tests: unify tests Let's try to not duplicate tests but instead reuse them across the supported platforms. |
no | v9-3-g69b47ce <https://github.com/latchset/tang/commit/v9-3-g69b47ce> | 2021-04-28 | ||
| cherry-pick/1606661229.v9-5-gfd69796.add-tangd-rotate-keys-helper-script.patch | Add tangd-rotate-keys helper script So that it becomes simpler to perform key rotation on the server side. Usage: tangd-rotate-keys [-h] [-v] -d <KEYDIR> Example: $ sudo tangd-rotate-keys -d /var/db/tang -v Disabled advertisement of key 5AiUA4IhvOFdXzFavO78TKJ8hEsfGk8I6ymy4rBPWi8.jwk -> .5AiUA4IhvOFdXzFavO78TKJ8hEsfGk8I6ymy4rBPWi8.jwk Disabled advertisement of key dDC74X-o31Fq5VJaM9iZ4baZD2hhHw-RrIMkxEz35Xc.jwk -> .dDC74X-o31Fq5VJaM9iZ4baZD2hhHw-RrIMkxEz35Xc.jwk Created new key bIGVyIP2D_NJGQeFA9cf9oix5KEVQyVq9ZGjjv0s3D8.jwk Created new key BL4IR73UhG8yyYbvGJspPIlLvG6AzTnM850tlCKrcII.jwk Keys rotated successfully |
no | v9-5-gfd69796 <https://github.com/latchset/tang/commit/v9-5-gfd69796> | 2020-11-29 | ||
| for-upstream/2018-08-11.use-asciidoctor-to-build-manpages.patch | Use asciidoctor to build the manpages | Christoph Biedl <debian.axhn@manchmal.in-ulm.de> | yes | upstream | 2018-08-11 | |
| for-upstream/2018-08-12.add-systemd-documentation-key.patch | Add documentation key to system unit file | Christoph Biedl <debian.axhn@manchmal.in-ulm.de> | yes | upstream | 2018-08-12 | |
| debian/2021-04-19.non-usrmerged.patch | Install systemd unit files in /lib/ | Christoph Biedl <debian.axhn@manchmal.in-ulm.de> | not-needed | 2021-04-19 | ||
| bullseye/1639480721.v10-9-ge82459f.keys-move-signing-part-out-of-find-by-thp-and-to-find-jws-81.patch | Keys: move signing part out of find_by_thp() and to find_jws() (#81) Handle just signing keys in find_jws(), to make sure we are responding only to proper queries. Tests were also failing to detect this issue and were updated accordingly. Issue discovered by Twitter Kernel and OS team during a source code audit while evaluating Tang/Clevis for their needs. Fixes CVE-2021-4076 |
no | v10-9-ge82459f <https://github.com/latchset/tang/commit/v10-9-ge82459f> | 2021-12-14 | ||
| bullseye/1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch | Fix race condition when creating/rotating keys (#123) When we create/rotate keys using either the tangd-keygen and tangd-rotate-keys helpers, there is a small window between the keys being created and then the proper ownership permissions being set. This also happens when there are no keys and tang creates a pair of keys itself. In certain situations, such as the keys directory having wide open permissions, a user with local access could exploit this race condition and read the keys before they are set to more restrictive permissions. To prevent this issue, we now set the default umask to 0337 before creating the files, so that they are already created with restrictive permissions; afterwards, we set the proper ownership as usual. Issue reported by Brian McDermott of CENSUS labs. Fixes CVE-2023-1672 Reviewed-by: Sergio Arroutbi <sarroutb@redhat.com> Signed-off-by: Sergio Correia <scorreia@redhat.com> |
no | v13-3-g8dbbed1 <https://github.com/latchset/tang/commit/v13-3-g8dbbed1> | 2023-06-14 |