Releases: cyberark/conjur
Releases · cyberark/conjur
v1.11.4
Security
- Updated Rails to 5.2.4.5 to address CVE-2021-22880
cyberark/conjur#2056
v1.11.3
Change log
Fixed
- Conjur now raises a new
ServiceIdMissing
error if theservice-id
param is
missing in an authentication request for the OIDC authenticator.
cyberark/conjur#2004
Changed
- Conjur now raises a
RoleNotFound
error when trying to authenticate a
non-existing host in authn-k8s.
cyberark/conjur#2046
v1.11.2
Added
- New
edge
-tagged images are published to DockerHub on every master branch
build.
cyberark/conjur#1617
Changed
- Conjur images are updated to use pinned versions of the public base images.
Users can now determine exactly which dependencies in the
Conjur Base Image project
are included in their Conjur image.
cyberark/conjur#1974 - Messages for password change now have the field
role
instead ofuser
undersubject
cyberark/conjur#2014 - When batch secret requests are sent with an
Accept: base64
header, the secret
values in the response will all be Base64-encoded. Sending requests with this
header allows users to retrieve binary secrets encoded in Base64.
cyberark/conjur#1962 - Conjur now verifies that the
offset
parameter is a valid integer value.
TheGET /resources
request will fail ifoffset
is not an integer greater
than or equal to 0.
cyberark/conjur#1997
Fixed
- Requests with empty body and application/json Content-Type Header will now
return 400 error instead of 500 error.
cyberark/conjur#1968 - Policy loading no longer fails when attempting to update the annotation
search index for a resource that no longer exists.
cyberark/conjur#1948 - Audit engine routing now correctly matches URLs that include a period (
.
)
in the resource ID.
cyberark/conjur#2001 - Attempts to retrieve binary secret data in a batch request without using
theAccept: base64
header now returns a message explaining that improper
secret encoding is the cause of the 500 response.
cyberark/conjur#1962 GET /resources
request with non-numeric delimiter (limit or offset) now
returnsError 422 Unprocessable Entity
instead ofError 500
.
cyberark/conjur#1997POST /host_factory_tokens
request with invalid ip address or CIDR range of
cidr
parameter now returnsError 422 Unprocessable Entity
instead ofError 500
.
cyberark/conjur#2011
Security
- Kubernetes authenticator certificate injection process now performs certificate
verification to prevent MitM attacks.
Security Bulletin
v1.11.1
Change log
Added
- UBI-based Conjur image to support Conjur server running on OpenShift. Image
will be published to RedHat Container Registry.
cyberark/conjur#1883
v1.11.0
Added
- GCP authenticator (
authn-gcp
) supports authenticating from Google Cloud Function (GCF)
using a GCE instance identity token. See design
for details. cyberark/conjur#1804
Changed
- Conjur now raises an ExecCommandError error instead of a CertInstallationError
error in case it failed to install the client certificate during authn-k8s.
cyberark/conjur#1860
Fixed
- Conjur now raises an Unauthorized error when a user attempts to rotate the API key of a
nonexistent role. Previously, the operation would result in a successful rotation of the
existing user's API key, with no indication that the target of the operation had changed.
cybeark/conjur#1914
Security
- Bumped Ruby version from 2.5.1 to 2.5.8 to address
CVE-2020-10663.
cyberark/conjur#1906
v1.10.0
Added
- Documentation explaining how to upgrade a Conjur server deployed in a
Docker Compose environment. cyberark/conjur#1528, cyberark/conjur#1584 - When Conjur starts, we now convert blank environment variables to nil. This ensures we treat empty environment values as
if the environment variable is not present, rather than attempting to use the empty string value. cyberark/conjur#1841
Changed
- The "inject_client_cert" request now returns 202 Accepted instead of 200 OK to
indicate that the cert injection has started but not necessarily completed.
cyberark/conjur#1848
Fixed
- Conjur now verifies that Kubernetes Authenticator variables exist and have value before retrieving them so that a
proper error will be raised if they aren't.
cyberark/conjur#1315
v1.9.0
Added
- Hosts can authenticate from Google Compute Engines (GCE) using a GCE instance
identity token. See design
for details (cyberark/conjur#1711). - New
/whoami
API endpoint for improved supportability and debugging for access
tokens and client IP address determination. cyberark/conjur#1697 TRUSTED_PROXIES
is validated at Conjur startup to ensure that it contains
valid IP addresses and/or address ranges in CIDR notation.
cyberark/conjur#1727- The
/authenticate
endpoint now returns a text/plain base64 encoded access token
if theAccept-Encoding
request header includesbase64
.
cyberark/conjur#151
Changed
- The Conjur server request logs now records the same IP address used by audit
logs and network authentication filters with therestricted_to
attribute.
cyberark/conjur#1719 - Conjur now only trusts
127.0.0.1
to send theX-Forwarded-For
header by
default. Additional trusted IP addresses may be added with theTRUSTED_PROXIES
environment variable. cyberark/conjur#1725 - Invalid CIDR notation in
restricted_to
now returns a policy validation
error, rather than an internal server error.
cyberark/conjur#1763
Fixed
- The
TRUSTED_PROXIES
environment variable now works correctly again after the
Rails 5 upgrade. This is to indicate trusted proxy IP addresses when using the
X-Forwarded-For
HTTP header to identity the true client IP address of a request.
cyberark/conjur#1689 - A new database migration step updates the fingerprints in slosilo. The FIPS compliance
update inv1.8.0
caused the previous fingerprints to be invalid.
cyberark/conjur#1584
Security
- Replaces string comparison with Secure Compare to prevent timing attacks against
the API authentication endpoint. Security Bulletin - Roles must use basic authentication to rotate their own API key, and can no longer
rotate their API key using only an access token. Security Bulletin
v1.8.1
Fixed
- Log the OpenSSL FIPS mode after Rails is initialized for both OSS and DAP.
cyberark/conjur#1684 - Bump
conjur-policy-parser
sorevoke (member)
anddeny (role)
can correctly utilize relative paths. cyberark/conjur-policy-parser#23
v1.8.0
Changed
- Use OpenSSL 1.0.2u to support FIPS compliance.
cyberark/conjur#1527 - Conjur can be configured to run in FIPS compliant or Non-FIPS compliant mode depending on requirements.
FIPS Compliant mode is slightly slower then non-FIPS compliant.
cyberark/conjur#1527 - Bump conjur-rack from 4.0.0 to 4.2.0 that consumes FIPS compliant slosilo.
cyberark/conjur#1527 - Print login and authentication error to the log in INFO level.
cyberark/conjur#1377 - Print proper message when user does not exist in authn or login request with
default authenticator.
cyberark/conjur#1655
Added
- Password changes (
PUT /authn/:account/password
) now produce audit events with
message IDpassword
. cyberark/conjur#1548 - API key rotations (
PUT /:authenticator/:account/api_key
) now produce audit events with
message IDapi-key
. cyberark/conjur#1549 - All audit events now contain the IP address of the client that initiated the
API request (e.g.[client@43868 ip="172.24.0.5"]
).
cyberark/conjur#1550 - Print Conjur server FIPS mode status. cyberark/conjur#1654
Security
- Updated
rack
to2.2.3
to resolve CVE-2020-8184. cyberark/conjur#1643
v1.7.4
Fixed
- The default content type for requests is now set at the beginning of the
Rack middleware chain, so that the content type is available for
subsequent middleware (cyberark/conjur#1622) - The default content type middleware now correctly checks for the
absence of theContent-Type
header
(cyberark/conjur#1622)