[stork-users] Stork 1.5.1 (security release) is available

Victoria Risk vicky at isc.org
Wed Mar 27 14:53:11 UTC 2024


ISC is pleased to announce that Stork 1.5.1 is now available. 
This release includes only one change, to address a critical security issue, CVE-2024-28872: 
Incorrect TLS certificate validation can lead to escalated privileges. 
(https://kb.isc.org/docs/cve-2024-28872) Please follow the the upgrade procedure linked below.

The easiest way to install the software is to use ISC’s native deb or RPM packages. They can be downloaded from:

      https://cloudsmith.io/~isc/repos/stork/

The Stork source and PGP signature for this release may be downloaded from:

      https://www.isc.org/download#Stork

Documentation for Stork is available at:

      https://stork.readthedocs.io <https://stork.readthedocs.io/> <https://stork.readthedocs.io/> <https://stork.readthedocs.io/>
——
# Stork 1.15.1 Release Notes, March 27, 2024

Welcome to Stork 1.15.1, a security update release. There are no new 
features in this release.

Security fixes:

1. **CVE-2024-28872**: A problem with TLS certificates was fixed. This 
issue addresses all known problems with TLS certificates. It also 
prevents any unauthorized connection attempts using gRPC over http/2 
connections, making Stork no longer susceptible for known and predicted 
attacks against http/2. For details, see the advisory text: 
[CVE-2024-28872](https://kb.isc.org/docs/cve-2024-28872). [#1328].

All users running versions 0.15.0 to 1.15.0 are advised to upgrade as 
soon as possible. It is recommended to follow the upgrade procedure are 
described here: https://kb.isc.org/docs/upgrading-stork.

Please see this link for known issues: 
https://gitlab.isc.org/isc-projects/stork/-/wikis/Known-issues.

## Incompatible Changes

The changes introduced in this release might be incompatible. The fix 
requires generating new certificates. The upgrade process is transparent 
if certificates were generated by Stork. The Stork server is able to 
detect its own generated certificates and regenerate them properly in an 
automated manner. The Stork agents will detect this and will repeat the 
registration procedure and retrieve new certificates from the server. 
The whole procedure is fully automated, as long as the certificates were 
generated by Stork. If the certificates were generated by external party 
and imported into Stork, some manual intervention is likely necessary. 
See KB article at 
https://kb.isc.org/docs/importing-external-certificates-to-stork for 
details.

## Release Model

Stork has bi-monthly development releases.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/stork-users/attachments/20240327/3bc9a8cb/attachment.htm>


More information about the Stork-users mailing list