From 076f37bb68814b8dc4464d768b4263045ff32bc0 Mon Sep 17 00:00:00 2001 From: David Enyeart Date: Fri, 17 Jun 2022 11:57:51 -0400 Subject: [PATCH] Release commit for v1.5.4 Release commit for v1.5.4. Signed-off-by: David Enyeart --- Makefile | 2 +- lib/metadata/version.go | 2 +- release_notes/v1.5.4.md | 50 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 52 insertions(+), 2 deletions(-) create mode 100644 release_notes/v1.5.4.md diff --git a/Makefile b/Makefile index 468335937..f035feae8 100644 --- a/Makefile +++ b/Makefile @@ -33,7 +33,7 @@ PROJECT_NAME = fabric-ca ALPINE_VER ?= 3.16 DEBIAN_VER ?= stretch BASE_VERSION = 1.5.4 -IS_RELEASE = false +IS_RELEASE = true ARCH=$(shell go env GOARCH) MARCH=$(shell go env GOOS)-$(shell go env GOARCH) diff --git a/lib/metadata/version.go b/lib/metadata/version.go index 81fc16f5a..0190b7969 100644 --- a/lib/metadata/version.go +++ b/lib/metadata/version.go @@ -29,7 +29,7 @@ const ( // Version specifies fabric-ca-client/fabric-ca-server version // It is defined by the Makefile and passed in with ldflags -var Version = "1.5.3" +var Version = "1.5.4" // GetVersionInfo returns version information for the fabric-ca-client/fabric-ca-server func GetVersionInfo(prgName string) string { diff --git a/release_notes/v1.5.4.md b/release_notes/v1.5.4.md new file mode 100644 index 000000000..9d45b452f --- /dev/null +++ b/release_notes/v1.5.4.md @@ -0,0 +1,50 @@ +v1.5.4 Release Notes - June 17, 2022 +==================================== + +Release v1.5.4 updates Fabric CA to use https://github.com/IBM/idemix for the Identity Mixer implementation, +making it possible to issue credentials using various Identity Mixer curves. +The Identity Mixer curve can be configured in the Fabric CA server and client configuration yaml file: + +``` +# Specifies the Elliptic Curve used by Identity Mixer. +# It can be any of: {"amcl.Fp256bn", "gurvy.Bn254", "amcl.Fp256Miraclbn"}. +# If unspecified, it defaults to 'amcl.Fp256bn'. +curve: amcl.Fp256bn +``` + +Dependencies +------------ + +Fabric CA v1.5.4 has been tested with the following dependencies: +- Go 1.18.2 +- Alpine 3.16 (for Docker images) + + +Changes, Known Issues, and Workarounds +-------------------------------------- +None. + +Known Vulnerabilities +--------------------- +- FABC-174 Commands can be manipulated to delete identities or affiliations + + This vulnerability can be resolved in one of two ways: + + 1) Use HTTPS (TLS) so that the authorization header is not in clear text. + + 2) The token generation/authentication mechanism was improved to optionally prevent + token reuse. As of v1.4 a more secure token can be used by setting environment variable: + + FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false + + However, it cannot be set to false until all clients have + been updated to generate the more secure token and tolerate + FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false. + The Fabric CA client has been updated in v1.4 to generate the more secure token. + The Fabric SDKs will be updated by v2.0 timeframe to generate the more secure token, + at which time the default for Fabric CA server will change to: + FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false + +Resolved Vulnerabilities +------------------------ +None.