UAA 3.18.0 Release Notes

This is a security release addressing the following issues

• CVE-2017-4992: Privilege escalation with user invitations (high severity)

UAA 3.6.11 Release Notes

This is a security release addressing the following issues

• CVE-2017-4992: Privilege escalation with user invitations (high severity)

UAA 4.1.0 Release Notes

This is a security release addressing the following issues

• CVE-2017-4991: UAA password reset vulnerability (high severity)

UAA 3.17.0 Release Notes

This is a security release addressing the following issues

• CVE-2017-4991: UAA password reset vulnerability (high severity)

UAA 3.9.12 Release Notes

This is a security release addressing the following issues

• CVE-2017-4991: UAA password reset vulnerability (high severity)

UAA 3.6.10 Release Notes

This is a security release addressing the following issues

• CVE-2017-4991: UAA password reset vulnerability (high severity)

UAA 2.7.4.16 Release Notes

This is a security release addressing the following issues

• CVE-2017-4991: UAA password reset vulnerability (high severity)

UAA 4.0.0 Release Notes

Known issues

• Please note that Create Account flow causes infinite redirect loop. This is addressed in 4.2.0
• /check_token fails with GET request. This is addressed in 4.2.0

Breaking Changes

Auth Redirect URI is now a required field for OAuth Clients of type authorization
_code and implicit. Existing OAuth Clients which don't have this set will get an error when accessing the /oauth/authorize end point. The auth redirect uri should follow the pattern below:

• start with http or https

• subdomain regex is not supported in the last two parts of the base domain.

  • https://*.apps.com is supported
  • https://*.apps.com* not supported
  • https://*.apps*.com* not supported

• Enforce redirectURI as a required parameter for Clients

• At client access time, throw error if client does not have valid redirect_uri

New Features

• SAML SP Key Rotation
• SAML IDP Key Rotation
• Display Previous Logon Information in the Footer of the authenticated UAA Pages.
• Introduce global settings for links section and allow specifying variables
• OAuth Client Required User Groups
• Improve approvals to use user_id and client_id
• Provide the ability for users/clients in a zone to manage a zone
• Update disableSelfServiceLinks Behavior
• Provide the ability to delete users via the UAA manifest

Bug Fixes

• Token signing keys are still improperly encoded
• https://www.pivotaltracker.com/story/show/144964151
• Delete a zone, can delete client approvals for another client in another zone
• Add missing identity_zone_id column
• add filter to POST /Groups/

Pull Requests

• Change getAuthorities to reduce number of executed SQL-Statements
• Fix can not expand zones.internal.hostnames using domain property
• Fix issue with ca certs cache during pre-start
• Feature/replace caching idp metadata manager
• Fix for #599. Don't overwrite jvmArgs when running in debug mode locally.
• Add index on zone_id column for the table revocable_tokens
• Support long scopes 3.12.0

Library Updates

• Spring Security Oauth 2.0.12.RELEASE

UAA 3.16.0 Release Notes

This is a security release addressing the following issues

• CVE-2017-4974: Blind SQL Injection with privileged UAA endpoints (high severity)

UAA 3.9.11 Release Notes

This is a security release addressing the following issues

• CVE-2017-4974: Blind SQL Injection with privileged UAA endpoints (high severity)