Releases: cyberark/conjur
Releases · cyberark/conjur
v1.20.1
[1.20.1] - 2023-10-13
Fixed
- OIDC Authenticator now writes custom certs to a non-default directory instead
of the system default certificate store.
cyberark/conjur#2988
Added
- Support for the no_proxy & NO_PROXY environment variables for the k8s authenticator.
CNJR-2759
Security
- Upgrade google/cloud-sdk in ci/test_suites/authenticators_k8s/dev/Dockerfile/test
to use latest version (448.0.0)
cyberark/conjur#2972
v1.20.0
[1.20.0] - 2023-09-21
Fixed
- Allow Factories with optional variables to save without error
cyberark/conjur#2956 - OIDC authenticators support
https_proxy
andHTTPS_PROXY
environment variables
cyberark/conjur#2902 - Support plural syntax for revoke and deny
cyberark/conjur#2901
Added
- Support an optional
ca-cert
variable for providing custom certs/chains to verify
OIDC providers or proxies when using the OIDC authenticator
cyberark/conjur#2933 - New flag to
conjurctl server
command called--no-migrate
which allows for skipping
the database migration step when starting the server.
cyberark/conjur#2895 - Telemetry support
cyberark/conjur#2854 - Introduces support for Policy Factory, which enables resource creation
through a newfactories
API.
cyberark/conjur#2855 - Use base images with newer Ubuntu and UBI.
Display FIPS Mode status in the UI (requires temporary fix for OpenSSL gem).
cyberark/conjur#2874
Changed
- The database thread pool max connection size is now based on the number of
web worker threads per process, rather than an arbitrary fixed number. This
mitigates the possibility of a web worker becoming starved while waiting for
a connection to become available.
cyberark/conjur#2875 - Changed base-image tagging strategy
cyberark/conjur#2926
Fixed
- Support Authn-IAM regional requests when host value is missing from signed headers.
cyberark/conjur#2827
Security
- Support plural syntax for revoke and deny
cyberark/conjur#2901 - Previously, attempting to add and remove a privilege in the same policy load
resulted in only the positive privilege (grant, permit) taking effect. Now we
fail safe and the negative privilege statement (revoke, deny) is the final
outcome
cyberark/conjur#2907 - Update puma to 6.3.1 to address CVE-2023-40175.
cyberark/conjur#2925
v1.19.6
[1.19.6] - 2023-07-05
Fixed
- Support Authn-IAM regional requests when host value is missing from signed headers.
cyberark/conjur#2827
v0.0.5
[0.0.5] - 2023-07-17
Security
- Use newer base images with Ubuntu 22.04, Ruby 3.2 and OpenSSL 3
cyberark/conjur#2827
v1.19.3.1
[1.19.3.1] - 2023-07-12
Security
- Update bundler to 2.2.33 to remove CVE-2021-43809
cyberark/conjur#2804
v1.19.5
[1.19.5] - 2023-06-29
Security
- Update bundler to 2.2.33 to remove CVE-2021-43809
cyberark/conjur#2804
Fixed
- AuthnJWT now supports claims that include hyphens and inline namespaces.
cyberark/conjur#2792 - Authn-IAM now uses the host in the signed headers to determine which STS endpoint
(global or regional) to use for validation.
Changed
- OIDC tokens will now have a default ttl of 60 mins
cyberark/conjur#2800
v1.19.3
[1.19.3] - 2023-04-17
Added
- Conjur now logs when it detects that the Conjur configuration file
(conjur.yml) or directory permissions prevent the Conjur server from
successfully reading it. Conjur also now logs at the DEBUG level when it
detects that either the directory or file do not exist.
cyberark/conjur#2715 - Account admin roles now have a corresponding resource. This ensures that
access controls work as expected for this role to access itself.
cyberark/conjur#2757
Changed
- Removes support for disabling the
CONJUR_FEATURE_PKCE_SUPPORT_ENABLED
flag.
cyberark/conjur#2713 - Routes on the
/roles/
API endpoints now correctly verify the existing of
a Role and return404
when it doesn't exist or the caller has insufficient
privilege.
cyberark/conjur#2755
Fixed
- Fixed a thread-safety bug in secret retrieval when multiple threads attempt
to decrypt a secret value with Slosilo/OpenSSL.
cyberark/slosilo#31
cyberark/conjur#2718 - Incomplete HTTP proxy support in the Kubernetes Authenticator is fixed. This
allows for an HTTP proxy between Conjur and the Kubernetes API.
cyberark/conjur#2766
Security
- Updated github-pages version in docs/Gemfile to allow upgrading activesupport
to v7.0.4.2 to resolve CVE-2022-22796
cyberark/conjur#2729 - Upgraded rack to v2.2.6.3 to resolve CVE-2023-27530
cyberark/conjur#2739 - Upgraded rack to v2.2.6.4 to resolve CVE-2023-27539
cyberark/conjur#2750 - Updated nokogiri to 1.14.3 for CVE-2023-29469 and CVE-2023-28484 and rails to
6.1.7.3 for CVE-2023-28120 in Gemfile.lock, nokogiri to 1.1.4.3 for CVE-2023-29469
and commonmarker to 0.23.9 for CVE-2023-24824 and CVE-2023-26485 in docs/Gemfile.lock
(all Medium severity issues flagged by Dependabot)
cyberark/conjur#2776
v1.19.2
[1.19.2] - 2022-01-13
Fixed
- Previously, including
limit
oroffset
parameters to a resource list request
resulted in the returned list being unexpectedly sorted. Now, all resource list
request results are sorted by resource ID.
cyberark/conjur#2702
Security
- Upgraded Rails to 6.1.7.1 to resolve CVE-2023-22794 (not vulnerable)
cyberark/conjur#2703
v1.19.1
[1.19.1] - 2022-12-08
Security
- Update loofah to 2.19.1 for CVE-2022-23514, CVE-2022-23515 and CVE-2022-23516 (all Not Vulnerable)
and rails-html-sanitizr to 1.4.4 for CVE-2022-23517, CVE-2022-23518, CVE-2022-23519, and CVE-2022-23520 (Not vulnerable)
cyberark/conjur#2686 - Updated nokogiri in root and docs Gemfile.lock files to resolve GHSA-qv4q-mr5r-qprj
cyberark/conjur#2684
Fixed
- Previously, if an OIDC authenticator was configured with a
Status
webservice,
the OIDC provider endpoint would include duplicate OIDC authenticators. This change resolves ONYX-25530.
cyberark/conjur#2678 - Allows V2 OIDC authenticators to be checked through the authenticator status
endpoint. This change resolves ONYX-25531.
cyberark/conjur#2692 - Previously, if an OIDC provider endpoint was incorrect, the provider list endpoint
would raise an exception. This change resolves ONYX-30387
cyberark/conjur#2688
Added
- Provides support for PKCE in the OIDC Authenticator code redirect workflow.
This is enabled by default. If needed, it can be disabled using the
CONJUR_FEATURE_PKCE_SUPPORT_ENABLED
feature flag.
cyberark/conjur#2678 - OIDC Authenticator can now be configured to distribute access tokens with a
custom time-to-live.
cyberark/conjur#2683 - List members request (
GET /roles/conjur/{kind}/{identifier}?members
) now produce audit events.
cyberark/conjur#2691 - Show resource request (
GET /resources/:account/:kind/*identifier
) now produce audit events.
cyberark/conjur#2695 - List memberships request (
GET /roles/:account/:kind/*identifier?memberships
) now produce audit events.
cyberark/conjur#2693
v1.19.0
[1.19.0] - 2022-11-29
Added
- Conjur policy loads can now emit callbacks to extensions on policy
load lifecycle events (e.g. before/after policy load). This is disabled
by default, but is available under the
CONJUR_FEATURE_POLICY_LOAD_EXTENSIONS
feature flag.
cyberark/conjur#2671 - Conjur roles API can now emit callbacks to extensions on member add and
remove events (e.g. before/after add member). This is disabled by default,
but is available under theCONJUR_FEATURE_ROLES_API_EXTENSIONS
feature flag.
cyberark/conjur#2671
Security
- Updated nokogiri in root and docs Gemfile.lock files to resolve GHSA-2qc6-mcvw-92cw
cyberark/conjur#2670