v1.9.0

Added

• Hosts can authenticate from Google Compute Engines (GCE) using a GCE instance
  identity token. See design
  for details (cyberark/conjur#1711).
• New /whoami API endpoint for improved supportability and debugging for access
  tokens and client IP address determination. cyberark/conjur#1697
• TRUSTED_PROXIES is validated at Conjur startup to ensure that it contains
  valid IP addresses and/or address ranges in CIDR notation.
  cyberark/conjur#1727
• The /authenticate endpoint now returns a text/plain base64 encoded access token
  if the Accept-Encoding request header includes base64.
  cyberark/conjur#151

Changed

• The Conjur server request logs now records the same IP address used by audit
  logs and network authentication filters with the restricted_to attribute.
  cyberark/conjur#1719
• Conjur now only trusts 127.0.0.1 to send the X-Forwarded-For header by
  default. Additional trusted IP addresses may be added with the TRUSTED_PROXIES
  environment variable. cyberark/conjur#1725
• Invalid CIDR notation in restricted_to now returns a policy validation
  error, rather than an internal server error.
  cyberark/conjur#1763

Fixed

• The TRUSTED_PROXIES environment variable now works correctly again after the
  Rails 5 upgrade. This is to indicate trusted proxy IP addresses when using the
  X-Forwarded-For HTTP header to identity the true client IP address of a request.
  cyberark/conjur#1689
• A new database migration step updates the fingerprints in slosilo. The FIPS compliance
  update in v1.8.0 caused the previous fingerprints to be invalid.
  cyberark/conjur#1584

Security

• Replaces string comparison with Secure Compare to prevent timing attacks against
  the API authentication endpoint. Security Bulletin
• Roles must use basic authentication to rotate their own API key, and can no longer
  rotate their API key using only an access token. Security Bulletin