Skip to content

Releases: cyberark/conjur

v1.11.4

09 Mar 15:26
v1.11.4
Compare
Choose a tag to compare

Security

v1.11.3

22 Feb 22:51
ea067c9
Compare
Choose a tag to compare

Change log

Fixed

  • Conjur now raises a new ServiceIdMissing error if the service-id param is
    missing in an authentication request for the OIDC authenticator.
    cyberark/conjur#2004

Changed

  • Conjur now raises a RoleNotFound error when trying to authenticate a
    non-existing host in authn-k8s.
    cyberark/conjur#2046

v1.11.2

02 Feb 21:07
v1.11.2
e24f2e2
Compare
Choose a tag to compare

Added

  • New edge-tagged images are published to DockerHub on every master branch
    build.
    cyberark/conjur#1617

Changed

  • Conjur images are updated to use pinned versions of the public base images.
    Users can now determine exactly which dependencies in the
    Conjur Base Image project
    are included in their Conjur image.
    cyberark/conjur#1974
  • Messages for password change now have the field role instead of user under subject
    cyberark/conjur#2014
  • When batch secret requests are sent with an Accept: base64 header, the secret
    values in the response will all be Base64-encoded. Sending requests with this
    header allows users to retrieve binary secrets encoded in Base64.
    cyberark/conjur#1962
  • Conjur now verifies that the offset parameter is a valid integer value.
    The GET /resources request will fail if offset is not an integer greater
    than or equal to 0.
    cyberark/conjur#1997

Fixed

  • Requests with empty body and application/json Content-Type Header will now
    return 400 error instead of 500 error.
    cyberark/conjur#1968
  • Policy loading no longer fails when attempting to update the annotation
    search index for a resource that no longer exists.
    cyberark/conjur#1948
  • Audit engine routing now correctly matches URLs that include a period (.)
    in the resource ID.
    cyberark/conjur#2001
  • Attempts to retrieve binary secret data in a batch request without using
    the Accept: base64 header now returns a message explaining that improper
    secret encoding is the cause of the 500 response.
    cyberark/conjur#1962
  • GET /resources request with non-numeric delimiter (limit or offset) now
    returns Error 422 Unprocessable Entity instead of Error 500.
    cyberark/conjur#1997
  • POST /host_factory_tokens request with invalid ip address or CIDR range of
    cidr parameter now returns Error 422 Unprocessable Entity instead of Error 500.
    cyberark/conjur#2011

Security

  • Kubernetes authenticator certificate injection process now performs certificate
    verification to prevent MitM attacks.
    Security Bulletin

v1.11.1

19 Nov 23:20
a1ae8c2
Compare
Choose a tag to compare

Change log

Added

  • UBI-based Conjur image to support Conjur server running on OpenShift. Image
    will be published to RedHat Container Registry.
    cyberark/conjur#1883

v1.11.0

19 Nov 17:38
v1.11.0
ea42574
Compare
Choose a tag to compare

Added

  • GCP authenticator (authn-gcp) supports authenticating from Google Cloud Function (GCF)
    using a GCE instance identity token. See design
    for details. cyberark/conjur#1804

Changed

  • Conjur now raises an ExecCommandError error instead of a CertInstallationError
    error in case it failed to install the client certificate during authn-k8s.
    cyberark/conjur#1860

Fixed

  • Conjur now raises an Unauthorized error when a user attempts to rotate the API key of a
    nonexistent role. Previously, the operation would result in a successful rotation of the
    existing user's API key, with no indication that the target of the operation had changed.
    cybeark/conjur#1914

Security

v1.10.0

16 Oct 17:42
v1.10.0
19676fc
Compare
Choose a tag to compare

Added

  • Documentation explaining how to upgrade a Conjur server deployed in a
    Docker Compose environment. cyberark/conjur#1528, cyberark/conjur#1584
  • When Conjur starts, we now convert blank environment variables to nil. This ensures we treat empty environment values as
    if the environment variable is not present, rather than attempting to use the empty string value. cyberark/conjur#1841

Changed

  • The "inject_client_cert" request now returns 202 Accepted instead of 200 OK to
    indicate that the cert injection has started but not necessarily completed.
    cyberark/conjur#1848

Fixed

  • Conjur now verifies that Kubernetes Authenticator variables exist and have value before retrieving them so that a
    proper error will be raised if they aren't.
    cyberark/conjur#1315

v1.9.0

16 Oct 15:22
v1.9.0
Compare
Choose a tag to compare
v1.9.0 Pre-release
Pre-release

Added

  • Hosts can authenticate from Google Compute Engines (GCE) using a GCE instance
    identity token. See design
    for details (cyberark/conjur#1711).
  • New /whoami API endpoint for improved supportability and debugging for access
    tokens and client IP address determination. cyberark/conjur#1697
  • TRUSTED_PROXIES is validated at Conjur startup to ensure that it contains
    valid IP addresses and/or address ranges in CIDR notation.
    cyberark/conjur#1727
  • The /authenticate endpoint now returns a text/plain base64 encoded access token
    if the Accept-Encoding request header includes base64.
    cyberark/conjur#151

Changed

  • The Conjur server request logs now records the same IP address used by audit
    logs and network authentication filters with the restricted_to attribute.
    cyberark/conjur#1719
  • Conjur now only trusts 127.0.0.1 to send the X-Forwarded-For header by
    default. Additional trusted IP addresses may be added with the TRUSTED_PROXIES
    environment variable. cyberark/conjur#1725
  • Invalid CIDR notation in restricted_to now returns a policy validation
    error, rather than an internal server error.
    cyberark/conjur#1763

Fixed

  • The TRUSTED_PROXIES environment variable now works correctly again after the
    Rails 5 upgrade. This is to indicate trusted proxy IP addresses when using the
    X-Forwarded-For HTTP header to identity the true client IP address of a request.
    cyberark/conjur#1689
  • A new database migration step updates the fingerprints in slosilo. The FIPS compliance
    update in v1.8.0 caused the previous fingerprints to be invalid.
    cyberark/conjur#1584

Security

  • Replaces string comparison with Secure Compare to prevent timing attacks against
    the API authentication endpoint. Security Bulletin
  • Roles must use basic authentication to rotate their own API key, and can no longer
    rotate their API key using only an access token. Security Bulletin

v1.8.1

15 Jul 18:22
Compare
Choose a tag to compare
v1.8.1 Pre-release
Pre-release

Fixed

v1.8.0

10 Jul 21:27
Compare
Choose a tag to compare
v1.8.0 Pre-release
Pre-release

Changed

  • Use OpenSSL 1.0.2u to support FIPS compliance.
    cyberark/conjur#1527
  • Conjur can be configured to run in FIPS compliant or Non-FIPS compliant mode depending on requirements.
    FIPS Compliant mode is slightly slower then non-FIPS compliant.
    cyberark/conjur#1527
  • Bump conjur-rack from 4.0.0 to 4.2.0 that consumes FIPS compliant slosilo.
    cyberark/conjur#1527
  • Print login and authentication error to the log in INFO level.
    cyberark/conjur#1377
  • Print proper message when user does not exist in authn or login request with
    default authenticator.
    cyberark/conjur#1655

Added

  • Password changes (PUT /authn/:account/password) now produce audit events with
    message ID password. cyberark/conjur#1548
  • API key rotations (PUT /:authenticator/:account/api_key) now produce audit events with
    message ID api-key. cyberark/conjur#1549
  • All audit events now contain the IP address of the client that initiated the
    API request (e.g. [client@43868 ip="172.24.0.5"]).
    cyberark/conjur#1550
  • Print Conjur server FIPS mode status. cyberark/conjur#1654

Security

v1.7.4

15 Jul 18:18
Compare
Choose a tag to compare
v1.7.4 Pre-release
Pre-release

Fixed

  • The default content type for requests is now set at the beginning of the
    Rack middleware chain, so that the content type is available for
    subsequent middleware (cyberark/conjur#1622)
  • The default content type middleware now correctly checks for the
    absence of the Content-Type header
    (cyberark/conjur#1622)