SPIRE
v1.15.2SecuritySPIRE v1.15.2 is a mixed release addressing security concerns through docker/docker to moby/moby migration (resolving CVEs) and a HIGH-severity delegated identity API restriction preventing JWT-SVID exposure for admin or downstream entries. The release also introduces the SPIFFE Broker, per-caller rate limiting, TLS metrics endpoint support, and numerous performance and compatibility improvements across multiple attestors and plugins.
securityResolve docker/docker CVEs via moby/moby migration
docker/docker dependencies have been migrated to moby/moby equivalents to resolve Docker/Moby CVEs. Upgrade to v1.15.2.
breakingDelegated API no longer serves JWT-SVIDs for admin/downstream entries
The delegated identity API no longer serves JWT-SVIDs for admin or downstream entries. If you use the delegated identity API with admin or downstream entries, verify that clients no longer depend on JWT-SVID tokens from those entry types.
Key changes (7)
- Security: docker/docker migrated to moby/moby to resolve CVEs
- Security: Delegated identity API restricted—no longer serves JWT-SVIDs for admin or downstream entries
- Enhancement: Per-caller rate limiting for agent Workload API and Envoy SDS
- Enhancement: TLS support for Prometheus metrics endpoint with optional SPIFFE ID allowlist
- Enhancement: SPIFFE Broker endpoint and API introduced
- Performance: Attested nodes now fetched in bulk; optimized MySQL list entries query for reduced database load
- Plus 16 additional features, fixes, and improvements: post-quantum cryptography curves, aws_kms tag-based discovery, azure_imds fixes, CA journal durability, structured logging, Windows SE_DEBUG_PRIVILEGE support, and more