diff --git a/Makefile b/Makefile index 9756e417..8111e06c 100644 --- a/Makefile +++ b/Makefile @@ -32,7 +32,7 @@ PROJECT_NAME = fabric-ca GO_VER = 1.21.9 UBUNTU_VER ?= 20.04 DEBIAN_VER ?= stretch -BASE_VERSION ?= v1.5.9 +BASE_VERSION ?= v1.5.10 ARCH=$(shell go env GOARCH) PLATFORM=$(shell go env GOOS)-$(shell go env GOARCH) diff --git a/lib/metadata/version.go b/lib/metadata/version.go index 9a7cda56..639c0126 100644 --- a/lib/metadata/version.go +++ b/lib/metadata/version.go @@ -29,7 +29,7 @@ const ( // Version specifies fabric-ca-client/fabric-ca-server version // It is defined by the Makefile and passed in with ldflags -var Version = "1.5.9" +var Version = "1.5.10" // GetVersionInfo returns version information for the fabric-ca-client/fabric-ca-server func GetVersionInfo(prgName string) string { diff --git a/release_notes/v1.5.10.md b/release_notes/v1.5.10.md new file mode 100644 index 00000000..64b22871 --- /dev/null +++ b/release_notes/v1.5.10.md @@ -0,0 +1,46 @@ +v1.5.10 Release Notes - April 15, 2024 +====================================== + +v1.5.10 updates code dependencies. + + +Dependencies +------------ + +Fabric CA v1.5.10 has been tested with the following dependencies: +- Go 1.21.9 +- Ubuntu 20.04 (for Docker images) +- Databases + - PostgreSQL 13 + - MySQL 8.0 + + +Changes, Known Issues, and Workarounds +-------------------------------------- + +None. + +Known Vulnerabilities +--------------------- +- FABC-174 Commands can be manipulated to delete identities or affiliations + + This vulnerability can be resolved in one of two ways: + + 1) Use HTTPS (TLS) so that the authorization header is not in clear text. + + 2) The token generation/authentication mechanism was improved to optionally prevent + token reuse. As of v1.4 a more secure token can be used by setting environment variable: + + FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false + + However, it cannot be set to false until all clients have + been updated to generate the more secure token and tolerate + FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false. + The Fabric CA client has been updated in v1.4 to generate the more secure token. + The Fabric SDKs will be updated by v2.0 timeframe to generate the more secure token, + at which time the default for Fabric CA server will change to: + FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false + +Resolved Vulnerabilities +------------------------ +None.