v1.11.3

Change log

Fixed

• Conjur now raises a new ServiceIdMissing error if the service-id param is
  missing in an authentication request for the OIDC authenticator.
  cyberark/conjur#2004

Changed

• Conjur now raises a RoleNotFound error when trying to authenticate a
  non-existing host in authn-k8s.
  cyberark/conjur#2046

v1.11.2

Added

• New edge-tagged images are published to DockerHub on every master branch
  build.
  cyberark/conjur#1617

Changed

• Conjur images are updated to use pinned versions of the public base images.
  Users can now determine exactly which dependencies in the
  Conjur Base Image project
  are included in their Conjur image.
  cyberark/conjur#1974
• Messages for password change now have the field role instead of user under subject
  cyberark/conjur#2014
• When batch secret requests are sent with an Accept: base64 header, the secret
  values in the response will all be Base64-encoded. Sending requests with this
  header allows users to retrieve binary secrets encoded in Base64.
  cyberark/conjur#1962
• Conjur now verifies that the offset parameter is a valid integer value.
  The GET /resources request will fail if offset is not an integer greater
  than or equal to 0.
  cyberark/conjur#1997

Fixed

• Requests with empty body and application/json Content-Type Header will now
  return 400 error instead of 500 error.
  cyberark/conjur#1968
• Policy loading no longer fails when attempting to update the annotation
  search index for a resource that no longer exists.
  cyberark/conjur#1948
• Audit engine routing now correctly matches URLs that include a period (.)
  in the resource ID.
  cyberark/conjur#2001
• Attempts to retrieve binary secret data in a batch request without using
  the Accept: base64 header now returns a message explaining that improper
  secret encoding is the cause of the 500 response.
  cyberark/conjur#1962
• GET /resources request with non-numeric delimiter (limit or offset) now
  returns Error 422 Unprocessable Entity instead of Error 500.
  cyberark/conjur#1997
• POST /host_factory_tokens request with invalid ip address or CIDR range of
  cidr parameter now returns Error 422 Unprocessable Entity instead of Error 500.
  cyberark/conjur#2011

Security

• Kubernetes authenticator certificate injection process now performs certificate
  verification to prevent MitM attacks.
  Security Bulletin

v1.11.1

Change log

Added

• UBI-based Conjur image to support Conjur server running on OpenShift. Image
  will be published to RedHat Container Registry.
  cyberark/conjur#1883

v1.11.0

Added

• GCP authenticator (authn-gcp) supports authenticating from Google Cloud Function (GCF)
  using a GCE instance identity token. See design
  for details. cyberark/conjur#1804

Changed

• Conjur now raises an ExecCommandError error instead of a CertInstallationError
  error in case it failed to install the client certificate during authn-k8s.
  cyberark/conjur#1860

Fixed

• Conjur now raises an Unauthorized error when a user attempts to rotate the API key of a
  nonexistent role. Previously, the operation would result in a successful rotation of the
  existing user's API key, with no indication that the target of the operation had changed.
  cybeark/conjur#1914

Security

• Bumped Ruby version from 2.5.1 to 2.5.8 to address
  CVE-2020-10663.
  cyberark/conjur#1906

v1.10.0

Added

• Documentation explaining how to upgrade a Conjur server deployed in a
  Docker Compose environment. cyberark/conjur#1528, cyberark/conjur#1584
• When Conjur starts, we now convert blank environment variables to nil. This ensures we treat empty environment values as
  if the environment variable is not present, rather than attempting to use the empty string value. cyberark/conjur#1841

Changed

• The "inject_client_cert" request now returns 202 Accepted instead of 200 OK to
  indicate that the cert injection has started but not necessarily completed.
  cyberark/conjur#1848

Fixed

• Conjur now verifies that Kubernetes Authenticator variables exist and have value before retrieving them so that a
  proper error will be raised if they aren't.
  cyberark/conjur#1315

v1.9.0

Added

• Hosts can authenticate from Google Compute Engines (GCE) using a GCE instance
  identity token. See design
  for details (cyberark/conjur#1711).
• New /whoami API endpoint for improved supportability and debugging for access
  tokens and client IP address determination. cyberark/conjur#1697
• TRUSTED_PROXIES is validated at Conjur startup to ensure that it contains
  valid IP addresses and/or address ranges in CIDR notation.
  cyberark/conjur#1727
• The /authenticate endpoint now returns a text/plain base64 encoded access token
  if the Accept-Encoding request header includes base64.
  cyberark/conjur#151

Changed

• The Conjur server request logs now records the same IP address used by audit
  logs and network authentication filters with the restricted_to attribute.
  cyberark/conjur#1719
• Conjur now only trusts 127.0.0.1 to send the X-Forwarded-For header by
  default. Additional trusted IP addresses may be added with the TRUSTED_PROXIES
  environment variable. cyberark/conjur#1725
• Invalid CIDR notation in restricted_to now returns a policy validation
  error, rather than an internal server error.
  cyberark/conjur#1763

Fixed

• The TRUSTED_PROXIES environment variable now works correctly again after the
  Rails 5 upgrade. This is to indicate trusted proxy IP addresses when using the
  X-Forwarded-For HTTP header to identity the true client IP address of a request.
  cyberark/conjur#1689
• A new database migration step updates the fingerprints in slosilo. The FIPS compliance
  update in v1.8.0 caused the previous fingerprints to be invalid.
  cyberark/conjur#1584

Security

• Replaces string comparison with Secure Compare to prevent timing attacks against
  the API authentication endpoint. Security Bulletin
• Roles must use basic authentication to rotate their own API key, and can no longer
  rotate their API key using only an access token. Security Bulletin

v1.8.1

Fixed

• Log the OpenSSL FIPS mode after Rails is initialized for both OSS and DAP.
  cyberark/conjur#1684
• Bump conjur-policy-parser so revoke (member) and deny (role)
  can correctly utilize relative paths. cyberark/conjur-policy-parser#23

v1.8.0

Changed

• Use OpenSSL 1.0.2u to support FIPS compliance.
  cyberark/conjur#1527
• Conjur can be configured to run in FIPS compliant or Non-FIPS compliant mode depending on requirements.
  FIPS Compliant mode is slightly slower then non-FIPS compliant.
  cyberark/conjur#1527
• Bump conjur-rack from 4.0.0 to 4.2.0 that consumes FIPS compliant slosilo.
  cyberark/conjur#1527
• Print login and authentication error to the log in INFO level.
  cyberark/conjur#1377
• Print proper message when user does not exist in authn or login request with
  default authenticator.
  cyberark/conjur#1655

Added

• Password changes (PUT /authn/:account/password) now produce audit events with
  message ID password. cyberark/conjur#1548
• API key rotations (PUT /:authenticator/:account/api_key) now produce audit events with
  message ID api-key. cyberark/conjur#1549
• All audit events now contain the IP address of the client that initiated the
  API request (e.g. [client@43868 ip="172.24.0.5"]).
  cyberark/conjur#1550
• Print Conjur server FIPS mode status. cyberark/conjur#1654

Security

• Updated rack to 2.2.3 to resolve CVE-2020-8184. cyberark/conjur#1643

v1.7.4

Fixed

• The default content type for requests is now set at the beginning of the
  Rack middleware chain, so that the content type is available for
  subsequent middleware (cyberark/conjur#1622)
• The default content type middleware now correctly checks for the
  absence of the Content-Type header
  (cyberark/conjur#1622)

v1.7.3

Change log

Fixed

• Host Factory Host creation no longer makes unecessary database queries, causing
  performance issues with large numbers of created hosts
  (cyberark/conjur#1605)