SPIRE
v1.14.3Securityv1.14.3 patches a TLS session resumption bypass that could skip certificate chain validation, plus fixes node cache rebuild and several reliability issues in AWS and federation scenarios.
securityUpgrade immediately to fix TLS session ticket bypass
TLS session resumption on SPIRE Server's TCP endpoint was allowing reconnecting clients to skip SPIFFE certificate chain validation — meaning a client with an expired or revoked cert could potentially reconnect without re-validation against the current trust bundle. This is a meaningful trust boundary violation. Upgrade to v1.14.3 now. No config change needed; the fix disables session tickets server-side automatically.
securitySelector data no longer leaks into agent logs
Selectors can encode workload identity details (e.g., Kubernetes pod labels, Unix UIDs, AWS metadata) that you may not want in logs. Previously, these were logged at agent level. After upgrading, audit your existing log pipelines and retention policies — any historical logs may still contain this data.
breakingPQC users must migrate from Kyber draft to X25519MLKEM768
If you've enabled RequirePQKEM TLS policy, the underlying algorithm changes from the draft x25519Kyber768Draft00 to the standardized X25519MLKEM768. Both peers must be running v1.14.3+ before this takes effect, otherwise TLS handshakes will fail. Plan a coordinated upgrade of agents and server if you're using this policy.
enhancementNode cache rebuild fix is critical for long-running agents
The periodic node cache rebuild was executing only once after startup instead of on its configured interval. Over time, agents in environments with frequent workload changes would serve stale cache data. This is silently fixed in v1.14.3 — no config changes needed, but you should upgrade agents promptly, especially in dynamic environments.
主な変更 (5)
- TLS session ticket resumption on server TCP endpoints disabled — was allowing connections to bypass SPIFFE certificate chain validation against the current trust bundle
- Selectors no longer logged at agent level to prevent sensitive info leakage
- RequirePQKEM policy updated from draft x25519Kyber768Draft00 to standardized X25519MLKEM768
- Node cache periodic rebuild was silently running only once — now correctly loops at configured interval
- ReadOnlyEntry.Clone() bug fixed: Admin boolean was bleeding into Downstream field, corrupting authorization metadata for GetAuthorizedEntries/SyncAuthorizedEntries clients