v0.28.1 (#1236)

* mostly security fixes Signed-off-by: Volkan Özçelik <[email protected]> * mostly security fixes Signed-off-by: Volkan Özçelik <[email protected]> --------- Signed-off-by: Volkan Özçelik <[email protected]>
vmware-tanzu · Jan 26, 2025 · 0004c1d · 0004c1d
1 parent 3ad713b
commit 0004c1d
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/.github/workflows/test-coverage.yaml b/.github/workflows/test-coverage.yaml
@@ -3,6 +3,9 @@ on:
   push:
     branches:
       - main
+
+permissions: read-all  # Set default permissions to read-only for the workflow
+
 jobs:
   build:
     runs-on: ubuntu-latest

diff --git a/docs/content/timeline/changelog.md b/docs/content/timeline/changelog.md
@@ -15,9 +15,26 @@ weight = 11
 
 ## Recent Changes
 
+TBD
+
+## [0.28.1] - 2025-01-25
+
+This is a security patch to recent CVE scan results.
+
+### Changed
+
 * Removed the `--append` flag from VSecM Sentinel CLI.
 * Minor bugfixes.
 
+### Security
+
+* Fixed CVE-2024-45337 [Misuse of ServerConfig.PublicKeyCallback may cause 
+  authorization bypass in golang.org/x/crypto](https://github.com/vmware-tanzu/secrets-manager/security/dependabot/34)
+* Fixed CVE-2024-45338 [Non-linear parsing of case-insensitive content 
+  in golang.org/x/net/html](https://github.com/vmware-tanzu/secrets-manager/security/dependabot/38)
+* Fixed GHSA-32gq-x56h-299c [age vulnerable to malicious plugin names, 
+  recipients, or identities causing arbitrary binary execution](https://github.com/vmware-tanzu/secrets-manager/security/dependabot/35)
+
 ## [0.28.0] - 2024-10-05
 
 ### Added
-Original file line number
+Diff line change
@@ Expand Up / @@ -3,6 +3,9 @@ on: @@
       push:
         branches:
           - main
+    permissions: read-all  # Set default permissions to read-only for the workflow
     jobs:
       build:
         runs-on: ubuntu-latest
@@ Expand Down @@