v1.9.0
Pre-release
Pre-release
Added
- Hosts can authenticate from Google Compute Engines (GCE) using a GCE instance
identity token. See design
for details (cyberark/conjur#1711). - New
/whoami
API endpoint for improved supportability and debugging for access
tokens and client IP address determination. cyberark/conjur#1697 TRUSTED_PROXIES
is validated at Conjur startup to ensure that it contains
valid IP addresses and/or address ranges in CIDR notation.
cyberark/conjur#1727- The
/authenticate
endpoint now returns a text/plain base64 encoded access token
if theAccept-Encoding
request header includesbase64
.
cyberark/conjur#151
Changed
- The Conjur server request logs now records the same IP address used by audit
logs and network authentication filters with therestricted_to
attribute.
cyberark/conjur#1719 - Conjur now only trusts
127.0.0.1
to send theX-Forwarded-For
header by
default. Additional trusted IP addresses may be added with theTRUSTED_PROXIES
environment variable. cyberark/conjur#1725 - Invalid CIDR notation in
restricted_to
now returns a policy validation
error, rather than an internal server error.
cyberark/conjur#1763
Fixed
- The
TRUSTED_PROXIES
environment variable now works correctly again after the
Rails 5 upgrade. This is to indicate trusted proxy IP addresses when using the
X-Forwarded-For
HTTP header to identity the true client IP address of a request.
cyberark/conjur#1689 - A new database migration step updates the fingerprints in slosilo. The FIPS compliance
update inv1.8.0
caused the previous fingerprints to be invalid.
cyberark/conjur#1584
Security
- Replaces string comparison with Secure Compare to prevent timing attacks against
the API authentication endpoint. Security Bulletin - Roles must use basic authentication to rotate their own API key, and can no longer
rotate their API key using only an access token. Security Bulletin