Skip to content

SCONE 6.0

SCONE 6.0.5

🐞 Bug Fixes

  • Fix memory clean-up for some data structures in the SCONE Runtime

🛑 Security

  • Upgrade dependencies to address an issue that could result out-of-bounds memory access when using OpenSSL (CVE-2025-9230)

SCONE 6.0.4

🛑 Security

  • Fix an issue in input and condition handling within the Go ecosystem (CVE-2024-25621)
  • Address a validation-related security issue in Go-based components (CVE-2025-58183)
  • Fix a security issue in HTTP cookie handling within the Go HTTP stack (CVE-2025-58186)
  • Handling of exceptional conditions in Go-based components was improved (CVE-2025-58187)
  • State and lifecycle handling in the Go ecosystem was updated (CVE-2025-61729)

SCONE 6.0.3

🐞 Bug Fixes

  • Disable ANSI colors in the SCONE CLI
  • Terminate LAS if SCONE QE was lost due to power transition or subsequent signing requests fail
  • SCONE Runtime performance and error handling improvements
  • Fix renaming on the SCONE Runtime exposed metrics
  • Show EPC size during enclave start
  • Fix toleration and taints checks in the CAS Backup Controller
  • In the CAS Backup Controller and kubectl plugin ensure that we use the SCONECLI upgrade command to upgrade and backup a CAS instance
  • kubectl-provision fix custom owner config and alt_names in default owner config
  • kubectl-provision only disable safety service during upgrade from versions 5.x
  • operator_controller use IMAGE_REPO in check_pull_secret function

🛑 Security

  • Upgrade the Alpine-based base images
  • Upgrade the Docker-in-Docker-based base images

SCONE 6.0.2

🐞 Bug Fixes

  • Fix install/upgrade version check in the operator_controller script

SCONE 6.0.1

🛡️ CAS

  • Reworked upgrade/backup CAS registration logic to allow activating of new CPU features (e.g. AVX512) and improve error messages

⚙️ Runtime

  • Fixes to minimize heap fragmentation

🛑 Common Vulnerabilities and Exposures Fixes

🐞 Bug Fixes

  • Fix on the operator_controller script
  • Remove dependency on unhealthy state of CAS during upgrade

SCONE 6.0.0

💥 Breaking Change

  • Upgrade to DCAP API v4. This will most likely break existing sessions by NOT allowing enclaves to attest anymore. The currently used API v3 does not deliver Advisory IDs. Thus, sessions don't have to tolerate any Advisory IDs. After switching to Intel DCAP v4 those systems will probably have Advisory IDs reported that must be tolerated in the sessions as otherwise the enclaves will be rejected during attestation. Sessions that ignore all advisories for availability means won't be affected by this.
  • The following SCONE Curated images have been removed due to the End-of-Life of their Debian 11 base image:
    • apps:java-17-bullseye
    • apps:nextcloud-apache
    • apps:php-8.1-apache-zts
    • apps:redis-6.2.6-bullseye
    • golang:1.22.5-bullseye
    • golang:1.23.8-bullseye
    • python:3.8-bullseye
    • rclone:1.69-bullseye
    • teemon:ebpf-exporter
  • Revert the change on the base image of the crosscompiler image from ubuntu24.04 to ubuntu24.10. We stick to support for LTS versions.
  • Dropped SCONE Vault support.
  • Remove backup-controller.cas field in the SCONE CAS Kubernetes CRD.

🛡️ CAS

  • Support Intel DCAP API v4 by default

⚙️ Runtime

  • Extend Prometheus metrics with identifying labels.

🐞 Bug Fixes

  • Fix various stability and performance bugs.