Release v0.62.1 (open-policy-agent#6618)

Signed-off-by: Stephan Renatus <stephan@styra.com> Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
tsidebottom · Apr 17, 2024 · 4aa7b45 · 4aa7b45
1 parent 4e1a5ed
commit 4aa7b45
Show file tree

Hide file tree

Showing 5 changed files with 4,959 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,7 +3,31 @@
 All notable changes to this project will be documented in this file. This
 project adheres to [Semantic Versioning](http://semver.org/).
 
-## Unreleased
+## 0.62.1
+
+This is a security fix release for the fixes published in [Golang 1.22.1](https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg).
+
+OPA servers using `--authentication=tls` would be affected: crafted malicious client
+certificates could cause a panic in the server.
+
+Also, crafted server certificates could panic OPA's HTTP clients, in bundle plugin,
+status and decision logs; and `http.send` calls that verify TLS.
+
+This affects all crypto/tls clients, and servers that set Config.ClientAuth to
+VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is
+for TLS servers to not verify client certificates.
+
+This is CVE-2024-24783 (https://pkg.go.dev/vuln/GO-2024-2598).
+
+Note that there are other security fixes in this Golang release, but whether or not
+OPA is affected is harder to tell. An update is advised.
+
+
+### Miscellaneous
+
+- Add Trino to OPA ecosystem (authored by @mosabua)
+- update: ADOPTERS.md (#6608) (authored by @fredmaggiowski)
+
 
 ## 0.62.0