Skip to content

Releases: pivotal/credhub-release

1.0.3

05 Jul 23:29
@pcf-sec-eng-bot pcf-sec-eng-bot
1.0.3
6e6edea
Compare
Choose a tag to compare
1.0.3

Notices

  • The TLS CA of UAA must be provided in the manifest at authentication.uaa.ca_certs prior to deployment

Bug fix

  • Offline JWT token validation now verifies the issuer in addition to the signature (related to CVE-2017-8034). This fix was added defensively, but this should not impact the current use-case due to lack of multiple identity zones in the BOSH UAA instance.

Changes from v1.0.2

Assets 3
Loading

1.0.2

29 Jun 22:05
@pcf-sec-eng-bot pcf-sec-eng-bot
1.0.2
c81cd87
Compare
Choose a tag to compare
1.0.2

Bug fix

  • The format of password credential generation parameters changed in version 0.6.0, causing data from versions 0.5.1 and prior to fail regeneration and encryption key rotation. This patch includes a fix to read both formats and unify to the preferred format for all new data.

New Features

  • Ability to set stored CA by name for user-provided certificates

NOTE: This feature was added to ensure forward compatibility for data stored with 1.0.x releases. This is an additive change with low risk to affect existing functionality.

Changes from v1.0.1

Assets 3
Loading

0.7.1

26 Jun 20:57
@ishustava ishustava
0.7.1
04efa72
Compare
Choose a tag to compare
0.7.1

Bug fix

  • The format of password credential generation parameters changed in version 0.6.0, causing data from versions 0.5.1 and prior to fail regeneration and encryption key rotation.

If you have stored data from release 0.5.1 and prior, you must upgrade to 0.7.1 and perform encryption key rotation prior to upgrading to 0.8.0 or later.

Changes from v0.7.0

Assets 3
Loading

1.0.1

13 Jun 16:01
@pcf-sec-eng-bot pcf-sec-eng-bot
1.0.1
30a92b6
Compare
Choose a tag to compare
1.0.1

Bug fix

  • Incorrect version displayed at /info endpoint

Changes from v1.0.0

Assets 3
Loading

1.0.0

09 Jun 22:39
@pcf-sec-eng-bot pcf-sec-eng-bot
1.0.0
a1d5709
Compare
Choose a tag to compare
1.0.0

Announcing CredHub release 1.0.0! 🎉🎈

Version 1.0.x is a long term support release. Bug fix and security patch releases will be issued for 9 months following release. See more here.

Features

  • Get, set, generate, delete credentials by type
    • value
    • password
    • user
    • certificate
    • ssh
    • rsa
    • json
  • Authentication via UAA
  • Software-based AES256-GCM encryption provider
  • Encryption provider key rotation
  • Data storage via MySQL and PostgreSQL
  • Access and change logging via CEF file and database
  • Storage of historical credential values and metadata
  • BOSH config server compliant API

Limitations

  • Authenticated users have full access to all resources
  • High availability configuration not supported

Compatibility

  • This release must use BOSH version 261 or later
  • CLI version 1.0.0+ must be used with this release
  • Version 9.4+ must be used if using PostgreSQL database

Changes from v0.8.0

Assets 3
Loading

0.8.0

24 May 01:22
@pcf-sec-eng-bot pcf-sec-eng-bot
0.8.0
8556d5d
Compare
Choose a tag to compare
0.8.0

Compatibility

  • This release must use BOSH version 261 or later.
  • CLI version 0.8.0 must be used with this release
  • CredHub requires PostgreSQL 9.4+

Notices

  • You are advised to backup your database prior to upgrade.
  • Internal encryption provider dev_key is no longer supported. You are must migrate from an existing dev_key to an encryption_password prior to upgrading to this version.

New Features

  • BBR scripts for backup and restore now enabled
  • Preliminary work on mutual TLS authentication
  • Preliminary work on authorization

Bug fix

  • Extended key usage 'timestamping' no longer provides error
  • Server version appropriately returned on /info endpoint
  • JRE bumped to 1.8.0_131 for CVEs
  • Spring Boot bumped to 1.4.6 for Tomcat CVEs

Changes from v0.7.0

Assets 3
Loading

0.7.0

28 Apr 23:49
@pcf-sec-eng-bot pcf-sec-eng-bot
0.7.0
da7470f
Compare
Choose a tag to compare
0.7.0

Compatibility

  • This release must use BOSH version 261 or later.
  • CLI version 0.7.0 must be used with this release
  • CredHub requires PostgreSQL 9.4+

Notices

  • You are advised to backup your database prior to upgrade.
  • Internal encryption provider dev_key is now deprecated. You are advised to migrate from an existing dev_key to an encryption_password.
  • Password generation parameter 'hex-only' has been removed

New Features

  • New credential type "user" now supported
  • Subject key identifier and authority key identifiers are now populated for generated certificate credentials
  • Restructured audit logging to provider data access and modification logging coverage
  • Preliminary work on mutual TLS authentication
  • Preliminary work on authorization

Changes from v0.6.1

Assets 3
Loading

0.6.1

27 Mar 23:43
@pcf-sec-eng-bot pcf-sec-eng-bot
0.6.1
0c36783
Compare
Choose a tag to compare
0.6.1

Bug fix

  • Connections to MySQL databases with require_tls: true will fail with error 'java.sql.SQLNonTransientConnectionException: Failed to find trustStore file.' Related to mariadb-connector-j issue described here.

Changes from v0.6.0

Assets 3
Loading

0.6.0

24 Mar 20:21
@pcf-sec-eng-bot pcf-sec-eng-bot
0.6.0
3821aca
Compare
Choose a tag to compare
0.6.0

Known issues

  • Connections to MySQL databases with require_tls: true will fail with error 'java.sql.SQLNonTransientConnectionException: Failed to find trustStore file.' This issue is resolved in version 0.6.1. Related to mariadb-connector-j issue described here.
  • The format of password credential generation parameters changed in version 0.6.0, causing data from versions 0.5.1 and prior to fail regeneration and encryption key rotation. If you have stored data from release 0.5.1 and prior, you must upgrade to 0.7.1 and perform encryption key rotation prior to upgrading to 0.8.0 or later.

Compatibility

  • This release must use BOSH version 261 or later.
  • CLI version 0.6.0 must be used with this release
  • CredHub requires PostgreSQL 9.4+

Notices

  • You are advised to backup your database prior to upgrade.
  • Encryption provider dev_internal has been renamed internal
  • Internal encryption provider dev_key is now deprecated. You are advised to migrate from an existing dev_key to an encryption_password.

Bug fix

  • HSM migration issue when upgrading from 0.3.1 to 0.5.1 has been resolved in this release

New Features

  • Internal encryption provider now uses PBKDF2 to derive an encryption key from a user-provided value.
  • The encryption_password key with the internal provider now uses AES256-GCM data encryption
  • Added support for storing arbitrary JSON as json-type credential
  • Added /vcap endpoint to support future service broker credential delivery workflow
  • Added SHA256 fingerprint attribute to SSH credential responses
  • Preliminary work on mutual TLS authentication
  • Preliminary work on authorization

Changes from v0.5.1

Assets 3
Loading

0.5.1

23 Feb 01:16
@pcf-sec-eng-bot pcf-sec-eng-bot
0.5.1
e626ab0
Compare
Choose a tag to compare
0.5.1 Pre-release
Pre-release

Known Issue

  • Upgrading from 0.3.x to 0.5.x with an HSM encryption provider will fail. We recommend that you do not upgrade to 0.5.x if using an HSM and instead using 0.6.0. This issue does not affect fresh installs or the dev_internal encryption provider.

Compatibility -

  • This release must use BOSH version 261 or later.
  • CLI version 0.5.x must be used with this release

Notices -

  • You are advised to backup your database prior to upgrade.

Bug fix release -

  • Resolves 500 error which occurred when setting a credential which held an existing value
Assets 3
Loading