Releases: cyberark/conjur
Releases · cyberark/conjur
v1.21.2
[1.21.2] - 2024-11-20
Changed
- Replaces ERB template engine with Mustache when rendering Factory templates
CNJR-6700 - Modifies the REST API response of a Policy load command, when called with the
dryRun
parameter, to report policy attributes that would be created by the
submitted policy.
CNJR-6999 - Modifies the REST API response of a Policy load command, when called with the
dryRun
parameter, to report policy attributes that would be updated by the
submitted policy.
CNJR-6109 - Modifies the REST API response of a Policy load command, when called with the
dryRun
parameter, to report policy attributes that would be deleted by the
submitted policy.
CNJR-6108
Fixed
- Updates audit events generated during Policy Factory usage.
CNJR-6891
Fixed
- Updates OIDC Authenticator to use the scope defined in configuration.
CNJR-6393 - Failed authentication requests now return without a body, only an error code.
ONYX-60466 - Fixed the ability to define Auth Token TTL in the configuration.
CNJR-6388 - Update webrick to 1.8.2 to resolve CVE-2024-47220.
CONJSE-1907
v1.21.0.1
[1.21.0.1] - 2024-06-11
Added
- Adds support for optionally prefixing user role_id with "user/" during API key authentication.
CNJR-5214
Fixed
- Fixed orphaned roles when deleting policy resources.
CONJSE-1875
Security
- Upgraded Rails to 6.1.7.8, to resolve CVE-2024-28103
v1.21.1
[1.21.1] - 2024-06-03
Added
- Added two options to the
conjurctl server
command to start the Conjur
service:--no-rotation
to disable the internal secret rotation process and
--no-authn-local
to disable the internal local authentication socket server.
CNJR-3503 - Adds support for optionally prefixing user role_id with "user/" during API key authentication.
CNJR-5214 - Added endpoint for getting effective policy
CNJR-2040 - Ensure logging of all HTTP status codes during authentication.
CNJR-232
Fixed
- Dedicated user identifier resolver allowing the user identifiers work like any other resource id. The Conjur internal
representation of user identification should not be used with policies. Supports relative and absolute addressing in
case of nested policies.
CNJR-4394 - Fixed orphaned roles when deleting policy resources.
CONJSE-1875
Security
- Upgraded Rails to 6.1.7.8, to resolve CVE-2024-28103
v1.20.1
[1.20.1] - 2023-10-13
Fixed
- OIDC Authenticator now writes custom certs to a non-default directory instead
of the system default certificate store.
cyberark/conjur#2988
Added
- Support for the no_proxy & NO_PROXY environment variables for the k8s authenticator.
CNJR-2759
Security
- Upgrade google/cloud-sdk in ci/test_suites/authenticators_k8s/dev/Dockerfile/test
to use latest version (448.0.0)
cyberark/conjur#2972
v1.20.0
[1.20.0] - 2023-09-21
Fixed
- Allow Factories with optional variables to save without error
cyberark/conjur#2956 - OIDC authenticators support
https_proxy
andHTTPS_PROXY
environment variables
cyberark/conjur#2902 - Support plural syntax for revoke and deny
cyberark/conjur#2901
Added
- Support an optional
ca-cert
variable for providing custom certs/chains to verify
OIDC providers or proxies when using the OIDC authenticator
cyberark/conjur#2933 - New flag to
conjurctl server
command called--no-migrate
which allows for skipping
the database migration step when starting the server.
cyberark/conjur#2895 - Telemetry support
cyberark/conjur#2854 - Introduces support for Policy Factory, which enables resource creation
through a newfactories
API.
cyberark/conjur#2855 - Use base images with newer Ubuntu and UBI.
Display FIPS Mode status in the UI (requires temporary fix for OpenSSL gem).
cyberark/conjur#2874
Changed
- The database thread pool max connection size is now based on the number of
web worker threads per process, rather than an arbitrary fixed number. This
mitigates the possibility of a web worker becoming starved while waiting for
a connection to become available.
cyberark/conjur#2875 - Changed base-image tagging strategy
cyberark/conjur#2926
Fixed
- Support Authn-IAM regional requests when host value is missing from signed headers.
cyberark/conjur#2827
Security
- Support plural syntax for revoke and deny
cyberark/conjur#2901 - Previously, attempting to add and remove a privilege in the same policy load
resulted in only the positive privilege (grant, permit) taking effect. Now we
fail safe and the negative privilege statement (revoke, deny) is the final
outcome
cyberark/conjur#2907 - Update puma to 6.3.1 to address CVE-2023-40175.
cyberark/conjur#2925
v1.19.6
[1.19.6] - 2023-07-05
Fixed
- Support Authn-IAM regional requests when host value is missing from signed headers.
cyberark/conjur#2827
v0.0.5
[0.0.5] - 2023-07-17
Security
- Use newer base images with Ubuntu 22.04, Ruby 3.2 and OpenSSL 3
cyberark/conjur#2827
v1.19.3.1
[1.19.3.1] - 2023-07-12
Security
- Update bundler to 2.2.33 to remove CVE-2021-43809
cyberark/conjur#2804
v1.19.5
[1.19.5] - 2023-06-29
Security
- Update bundler to 2.2.33 to remove CVE-2021-43809
cyberark/conjur#2804
Fixed
- AuthnJWT now supports claims that include hyphens and inline namespaces.
cyberark/conjur#2792 - Authn-IAM now uses the host in the signed headers to determine which STS endpoint
(global or regional) to use for validation.
Changed
- OIDC tokens will now have a default ttl of 60 mins
cyberark/conjur#2800
v1.19.3
[1.19.3] - 2023-04-17
Added
- Conjur now logs when it detects that the Conjur configuration file
(conjur.yml) or directory permissions prevent the Conjur server from
successfully reading it. Conjur also now logs at the DEBUG level when it
detects that either the directory or file do not exist.
cyberark/conjur#2715 - Account admin roles now have a corresponding resource. This ensures that
access controls work as expected for this role to access itself.
cyberark/conjur#2757
Changed
- Removes support for disabling the
CONJUR_FEATURE_PKCE_SUPPORT_ENABLED
flag.
cyberark/conjur#2713 - Routes on the
/roles/
API endpoints now correctly verify the existing of
a Role and return404
when it doesn't exist or the caller has insufficient
privilege.
cyberark/conjur#2755
Fixed
- Fixed a thread-safety bug in secret retrieval when multiple threads attempt
to decrypt a secret value with Slosilo/OpenSSL.
cyberark/slosilo#31
cyberark/conjur#2718 - Incomplete HTTP proxy support in the Kubernetes Authenticator is fixed. This
allows for an HTTP proxy between Conjur and the Kubernetes API.
cyberark/conjur#2766
Security
- Updated github-pages version in docs/Gemfile to allow upgrading activesupport
to v7.0.4.2 to resolve CVE-2022-22796
cyberark/conjur#2729 - Upgraded rack to v2.2.6.3 to resolve CVE-2023-27530
cyberark/conjur#2739 - Upgraded rack to v2.2.6.4 to resolve CVE-2023-27539
cyberark/conjur#2750 - Updated nokogiri to 1.14.3 for CVE-2023-29469 and CVE-2023-28484 and rails to
6.1.7.3 for CVE-2023-28120 in Gemfile.lock, nokogiri to 1.1.4.3 for CVE-2023-29469
and commonmarker to 0.23.9 for CVE-2023-24824 and CVE-2023-26485 in docs/Gemfile.lock
(all Medium severity issues flagged by Dependabot)
cyberark/conjur#2776