v0.28.1 (#1236)

v0lkan · web-flow · commit 0004c1ded408 · 2025-01-25T18:41:14.000-08:00
* mostly security fixes

Signed-off-by: Volkan Özçelik &lt;me@volkan.io&gt;

* mostly security fixes

Signed-off-by: Volkan Özçelik &lt;me@volkan.io&gt;

---------

Signed-off-by: Volkan Özçelik &lt;me@volkan.io&gt;
diff --git a/.github/workflows/test-coverage.yaml b/.github/workflows/test-coverage.yaml
@@ -3,6 +3,9 @@ on:
   push:
     branches:
       - main
+
+permissions: read-all  # Set default permissions to read-only for the workflow
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/docs/content/timeline/changelog.md b/docs/content/timeline/changelog.md
@@ -15,9 +15,26 @@ weight = 11
 
 ## Recent Changes
 
+TBD
+
+## [0.28.1] - 2025-01-25
+
+This is a security patch to recent CVE scan results.
+
+### Changed
+
 * Removed the `--append` flag from VSecM Sentinel CLI.
 * Minor bugfixes.
 
+### Security
+
+* Fixed CVE-2024-45337 [Misuse of ServerConfig.PublicKeyCallback may cause 
+  authorization bypass in golang.org/x/crypto](https://github.com/vmware-tanzu/secrets-manager/security/dependabot/34)
+* Fixed CVE-2024-45338 [Non-linear parsing of case-insensitive content 
+  in golang.org/x/net/html](https://github.com/vmware-tanzu/secrets-manager/security/dependabot/38)
+* Fixed GHSA-32gq-x56h-299c [age vulnerable to malicious plugin names, 
+  recipients, or identities causing arbitrary binary execution](https://github.com/vmware-tanzu/secrets-manager/security/dependabot/35)
+
 ## [0.28.0] - 2024-10-05
 
 ### Added
