Skip to content

Releases: cyberark/conjur

v1.21.2

22 Nov 15:40
Compare
Choose a tag to compare

[1.21.2] - 2024-11-20

Changed

  • Replaces ERB template engine with Mustache when rendering Factory templates
    CNJR-6700
  • Modifies the REST API response of a Policy load command, when called with the
    dryRun parameter, to report policy attributes that would be created by the
    submitted policy.
    CNJR-6999
  • Modifies the REST API response of a Policy load command, when called with the
    dryRun parameter, to report policy attributes that would be updated by the
    submitted policy.
    CNJR-6109
  • Modifies the REST API response of a Policy load command, when called with the
    dryRun parameter, to report policy attributes that would be deleted by the
    submitted policy.
    CNJR-6108

Fixed

  • Updates audit events generated during Policy Factory usage.
    CNJR-6891

Fixed

  • Updates OIDC Authenticator to use the scope defined in configuration.
    CNJR-6393
  • Failed authentication requests now return without a body, only an error code.
    ONYX-60466
  • Fixed the ability to define Auth Token TTL in the configuration.
    CNJR-6388
  • Update webrick to 1.8.2 to resolve CVE-2024-47220.
    CONJSE-1907

v1.21.0.1

18 Sep 15:07
157deee
Compare
Choose a tag to compare
v1.21.0.1 Pre-release
Pre-release

[1.21.0.1] - 2024-06-11

Added

  • Adds support for optionally prefixing user role_id with "user/" during API key authentication.
    CNJR-5214

Fixed

  • Fixed orphaned roles when deleting policy resources.
    CONJSE-1875

Security

v1.21.1

18 Sep 21:14
a579909
Compare
Choose a tag to compare

[1.21.1] - 2024-06-03

Added

  • Added two options to the conjurctl server command to start the Conjur
    service: --no-rotation to disable the internal secret rotation process and
    --no-authn-local to disable the internal local authentication socket server.
    CNJR-3503
  • Adds support for optionally prefixing user role_id with "user/" during API key authentication.
    CNJR-5214
  • Added endpoint for getting effective policy
    CNJR-2040
  • Ensure logging of all HTTP status codes during authentication.
    CNJR-232

Fixed

  • Dedicated user identifier resolver allowing the user identifiers work like any other resource id. The Conjur internal
    representation of user identification should not be used with policies. Supports relative and absolute addressing in
    case of nested policies.
    CNJR-4394
  • Fixed orphaned roles when deleting policy resources.
    CONJSE-1875

Security

v1.20.1

17 Aug 19:56
40401f4
Compare
Choose a tag to compare
v1.20.1 Pre-release
Pre-release

[1.20.1] - 2023-10-13

Fixed

  • OIDC Authenticator now writes custom certs to a non-default directory instead
    of the system default certificate store.
    cyberark/conjur#2988

Added

  • Support for the no_proxy & NO_PROXY environment variables for the k8s authenticator.
    CNJR-2759

Security

  • Upgrade google/cloud-sdk in ci/test_suites/authenticators_k8s/dev/Dockerfile/test
    to use latest version (448.0.0)
    cyberark/conjur#2972

v1.20.0

04 Aug 21:07
7044dbc
Compare
Choose a tag to compare

[1.20.0] - 2023-09-21

Fixed

Added

  • Support an optionalca-cert variable for providing custom certs/chains to verify
    OIDC providers or proxies when using the OIDC authenticator
    cyberark/conjur#2933
  • New flag to conjurctl server command called --no-migrate which allows for skipping
    the database migration step when starting the server.
    cyberark/conjur#2895
  • Telemetry support
    cyberark/conjur#2854
  • Introduces support for Policy Factory, which enables resource creation
    through a new factories API.
    cyberark/conjur#2855
  • Use base images with newer Ubuntu and UBI.
    Display FIPS Mode status in the UI (requires temporary fix for OpenSSL gem).
    cyberark/conjur#2874

Changed

  • The database thread pool max connection size is now based on the number of
    web worker threads per process, rather than an arbitrary fixed number. This
    mitigates the possibility of a web worker becoming starved while waiting for
    a connection to become available.
    cyberark/conjur#2875
  • Changed base-image tagging strategy
    cyberark/conjur#2926

Fixed

  • Support Authn-IAM regional requests when host value is missing from signed headers.
    cyberark/conjur#2827

Security

  • Support plural syntax for revoke and deny
    cyberark/conjur#2901
  • Previously, attempting to add and remove a privilege in the same policy load
    resulted in only the positive privilege (grant, permit) taking effect. Now we
    fail safe and the negative privilege statement (revoke, deny) is the final
    outcome
    cyberark/conjur#2907
  • Update puma to 6.3.1 to address CVE-2023-40175.
    cyberark/conjur#2925

v1.19.6

06 Jul 17:35
322861b
Compare
Choose a tag to compare
v1.19.6 Pre-release
Pre-release

[1.19.6] - 2023-07-05

Fixed

  • Support Authn-IAM regional requests when host value is missing from signed headers.
    cyberark/conjur#2827

v0.0.5

18 Jul 12:47
Compare
Choose a tag to compare
v0.0.5 Pre-release
Pre-release

[0.0.5] - 2023-07-17

Security

v1.19.3.1

13 Jul 23:25
502a18a
Compare
Choose a tag to compare
v1.19.3.1 Pre-release
Pre-release

[1.19.3.1] - 2023-07-12

Security

v1.19.5

17 May 19:48
1377763
Compare
Choose a tag to compare

[1.19.5] - 2023-06-29

Security

Fixed

  • AuthnJWT now supports claims that include hyphens and inline namespaces.
    cyberark/conjur#2792
  • Authn-IAM now uses the host in the signed headers to determine which STS endpoint
    (global or regional) to use for validation.

Changed

v1.19.3

26 Jan 20:38
05aa1aa
Compare
Choose a tag to compare

[1.19.3] - 2023-04-17

Added

  • Conjur now logs when it detects that the Conjur configuration file
    (conjur.yml) or directory permissions prevent the Conjur server from
    successfully reading it. Conjur also now logs at the DEBUG level when it
    detects that either the directory or file do not exist.
    cyberark/conjur#2715
  • Account admin roles now have a corresponding resource. This ensures that
    access controls work as expected for this role to access itself.
    cyberark/conjur#2757

Changed

  • Removes support for disabling the CONJUR_FEATURE_PKCE_SUPPORT_ENABLED flag.
    cyberark/conjur#2713
  • Routes on the /roles/ API endpoints now correctly verify the existing of
    a Role and return 404 when it doesn't exist or the caller has insufficient
    privilege.
    cyberark/conjur#2755

Fixed

  • Fixed a thread-safety bug in secret retrieval when multiple threads attempt
    to decrypt a secret value with Slosilo/OpenSSL.
    cyberark/slosilo#31
    cyberark/conjur#2718
  • Incomplete HTTP proxy support in the Kubernetes Authenticator is fixed. This
    allows for an HTTP proxy between Conjur and the Kubernetes API.
    cyberark/conjur#2766

Security