diff --git a/Makefile b/Makefile index bacccbbc..7f54ef26 100644 --- a/Makefile +++ b/Makefile @@ -32,7 +32,7 @@ PROJECT_NAME = fabric-ca GO_VER = 1.23.1 UBUNTU_VER ?= 20.04 DEBIAN_VER ?= stretch -BASE_VERSION ?= v1.5.12 +BASE_VERSION ?= v1.5.13 ARCH=$(shell go env GOARCH) PLATFORM=$(shell go env GOOS)-$(shell go env GOARCH) diff --git a/lib/metadata/version.go b/lib/metadata/version.go index 7e29b060..0e657791 100644 --- a/lib/metadata/version.go +++ b/lib/metadata/version.go @@ -29,7 +29,7 @@ const ( // Version specifies fabric-ca-client/fabric-ca-server version // It is defined by the Makefile and passed in with ldflags -var Version = "1.5.12" +var Version = "1.5.13" // GetVersionInfo returns version information for the fabric-ca-client/fabric-ca-server func GetVersionInfo(prgName string) string { diff --git a/release_notes/v1.5.13.md b/release_notes/v1.5.13.md new file mode 100644 index 00000000..b46fa53b --- /dev/null +++ b/release_notes/v1.5.13.md @@ -0,0 +1,46 @@ +v1.5.13 Release Notes - September 20, 2024 +========================================== + +v1.5.13 updates code dependencies. + + +Dependencies +------------ + +Fabric CA v1.5.13 has been tested with the following dependencies: +- Go 1.23.1 +- Ubuntu 20.04 (for Docker images) +- Databases + - PostgreSQL 13 + - MySQL 8.0 + + +Changes, Known Issues, and Workarounds +-------------------------------------- + +None. + +Known Vulnerabilities +--------------------- +- FABC-174 Commands can be manipulated to delete identities or affiliations + + This vulnerability can be resolved in one of two ways: + + 1) Use HTTPS (TLS) so that the authorization header is not in clear text. + + 2) The token generation/authentication mechanism was improved to optionally prevent + token reuse. As of v1.4 a more secure token can be used by setting environment variable: + + FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false + + However, it cannot be set to false until all clients have + been updated to generate the more secure token and tolerate + FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false. + The Fabric CA client has been updated in v1.4 to generate the more secure token. + The Fabric SDKs will be updated by v2.0 timeframe to generate the more secure token, + at which time the default for Fabric CA server will change to: + FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false + +Resolved Vulnerabilities +------------------------ +None.