Conjur Versions Save

[1.19.3] - 2023-01-26

Added

• Conjur now logs when it detects that the Conjur configuration file (conjur.yml) or directory permissions prevent the Conjur server from successfully reading it. Conjur also now logs at the DEBUG level when it detects that either the directory or file do not exist. cyberark/conjur#2715

Fixed

• Fixed a thread-safety bug in secret retrieval when multiple threads attempt to decrypt a secret value with Slosilo/OpenSSL. cyberark/slosilo#31 cyberark/conjur#2718

Security

• Updated github-pages version in docs/Gemfile to allow upgrading activesupport to v7.0.4.2 to resolve CVE-2022-22796 cyberark/conjur#2729

[1.19.3] - 2023-04-17

Added

• Conjur now logs when it detects that the Conjur configuration file (conjur.yml) or directory permissions prevent the Conjur server from successfully reading it. Conjur also now logs at the DEBUG level when it detects that either the directory or file do not exist. cyberark/conjur#2715
• Account admin roles now have a corresponding resource. This ensures that access controls work as expected for this role to access itself. cyberark/conjur#2757

Changed

• Removes support for disabling the CONJUR_FEATURE_PKCE_SUPPORT_ENABLED flag. cyberark/conjur#2713
• Routes on the /roles/ API endpoints now correctly verify the existing of a Role and return 404 when it doesn't exist or the caller has insufficient privilege. cyberark/conjur#2755

Fixed

• Fixed a thread-safety bug in secret retrieval when multiple threads attempt to decrypt a secret value with Slosilo/OpenSSL. cyberark/slosilo#31 cyberark/conjur#2718
• Incomplete HTTP proxy support in the Kubernetes Authenticator is fixed. This allows for an HTTP proxy between Conjur and the Kubernetes API. cyberark/conjur#2766

Security

• Updated github-pages version in docs/Gemfile to allow upgrading activesupport to v7.0.4.2 to resolve CVE-2022-22796 cyberark/conjur#2729
• Upgraded rack to v2.2.6.3 to resolve CVE-2023-27530 cyberark/conjur#2739
• Upgraded rack to v2.2.6.4 to resolve CVE-2023-27539 cyberark/conjur#2750
• Updated nokogiri to 1.14.3 for CVE-2023-29469 and CVE-2023-28484 and rails to 6.1.7.3 for CVE-2023-28120 in Gemfile.lock, nokogiri to 1.1.4.3 for CVE-2023-29469 and commonmarker to 0.23.9 for CVE-2023-24824 and CVE-2023-26485 in docs/Gemfile.lock (all Medium severity issues flagged by Dependabot) cyberark/conjur#2776

[1.19.3] - 2023-03-21

Changed

• Removes support for disabling the CONJUR_FEATURE_PKCE_SUPPORT_ENABLED flag. cyberark/conjur#2713
• Routes on the /roles/ API endpoints now correctly verify the existing of a Role and return 404 when it doesn't exist or the caller has insufficient privilege. cyberark/conjur#2755

[1.19.2] - 2022-01-13

Fixed

• Previously, including limit or offset parameters to a resource list request resulted in the returned list being unexpectedly sorted. Now, all resource list request results are sorted by resource ID. cyberark/conjur#2702

Security

• Upgraded Rails to 6.1.7.1 to resolve CVE-2023-22794 (not vulnerable) cyberark/conjur#2703

[1.19.2] - 2022-01-13

Fixed

• Previously, including limit or offset parameters to a resource list request resulted in the returned list being unexpectedly sorted. Now, all resource list request results are sorted by resource ID. cyberark/conjur#2702

Security

• Upgraded Rails to 6.1.7.1 to resolve CVE-2023-22794 (not vulnerable) cyberark/conjur#2703

[1.19.1] - 2022-12-08

Security

• Update loofah to 2.19.1 for CVE-2022-23514, CVE-2022-23515 and CVE-2022-23516 (all Not Vulnerable) and rails-html-sanitizr to 1.4.4 for CVE-2022-23517, CVE-2022-23518, CVE-2022-23519, and CVE-2022-23520 (Not vulnerable) cyberark/conjur#2686
• Updated nokogiri in root and docs Gemfile.lock files to resolve GHSA-qv4q-mr5r-qprj cyberark/conjur#2684

Fixed

• Previously, if an OIDC authenticator was configured with a Status webservice, the OIDC provider endpoint would include duplicate OIDC authenticators. This change resolves ONYX-25530. cyberark/conjur#2678
• Allows V2 OIDC authenticators to be checked through the authenticator status endpoint. This change resolves ONYX-25531. cyberark/conjur#2692
• Previously, if an OIDC provider endpoint was incorrect, the provider list endpoint would raise an exception. This change resolves ONYX-30387 cyberark/conjur#2688

Added

• Provides support for PKCE in the OIDC Authenticator code redirect workflow. This is enabled by default. If needed, it can be disabled using the CONJUR_FEATURE_PKCE_SUPPORT_ENABLED feature flag. cyberark/conjur#2678
• OIDC Authenticator can now be configured to distribute access tokens with a custom time-to-live. cyberark/conjur#2683
• List members request (GET /roles/conjur/{kind}/{identifier}?members) now produce audit events. cyberark/conjur#2691
• Show resource request (GET /resources/:account/:kind/*identifier) now produce audit events. cyberark/conjur#2695
• List memberships request (GET /roles/:account/:kind/*identifier?memberships) now produce audit events. cyberark/conjur#2693

[1.19.1] - 2022-12-08

Security

• Update loofah to 2.19.1 for CVE-2022-23514, CVE-2022-23515 and CVE-2022-23516 (all Not Vulnerable) and rails-html-sanitizr to 1.4.4 for CVE-2022-23517, CVE-2022-23518, CVE-2022-23519, and CVE-2022-23520 (Not vulnerable) cyberark/conjur#2686
• Updated nokogiri in root and docs Gemfile.lock files to resolve GHSA-qv4q-mr5r-qprj cyberark/conjur#2684

Fixed

• Previously, if an OIDC authenticator was configured with a Status webservice, the OIDC provider endpoint would include duplicate OIDC authenticators. This change resolves ONYX-25530. cyberark/conjur#2678

Added

• Provides support for PKCE in the OIDC Authenticator code redirect workflow. This is disabled by default, but is available under the CONJUR_FEATURE_PKCE_SUPPORT_ENABLED feature flag. cyberark/conjur#2678
• OIDC Authenticator can now be configured to distribute access tokens with a custom time-to-live. cyberark/conjur#2683

[1.19.1] - 2022-12-08

Security

• Update loofah to 2.19.1 for CVE-2022-23514, CVE-2022-23515 and CVE-2022-23516 (all Not Vulnerable) and rails-html-sanitizr to 1.4.4 for CVE-2022-23517, CVE-2022-23518, CVE-2022-23519, and CVE-2022-23520 (Not vulnerable) cyberark/conjur#2686
• Updated nokogiri in root and docs Gemfile.lock files to resolve GHSA-qv4q-mr5r-qprj cyberark/conjur#2684

Fixed

• Previously, if an OIDC authenticator was configured with a Status webservice, the OIDC provider endpoint would include duplicate OIDC authenticators. This change resolves ONYX-25530. cyberark/conjur#2678

Added

• Provides support for PKCE in the OIDC Authenticator code redirect workflow. This is disabled by default, but is available under the CONJUR_FEATURE_PKCE_SUPPORT_ENABLED feature flag. cyberark/conjur#2678

[1.19.0] - 2022-10-11

Added

• Conjur policy loads can now emit callbacks to extensions on policy load lifecycle events (e.g. before/after policy load). This is disabled by default, but is available under the CONJUR_FEATURE_POLICY_LOAD_EXTENSIONS feature flag. cyberark/conjur#2671
• Conjur roles API can now emit callbacks to extensions on member add and remove events (e.g. before/after add member). This is disabled by default, but is available under the CONJUR_FEATURE_ROLES_API_EXTENSIONS feature flag. cyberark/conjur#2671

Changed

• OIDC authenticator now uses PKCE and dynamic nonce. (cyberark/conjur#2662

Security

• Updated nokogiri in root and docs Gemfile.lock files to resolve GHSA-2qc6-mcvw-92cw cyberark/conjur#2670

[1.19.0] - 2022-11-29

Added

• Conjur policy loads can now emit callbacks to extensions on policy load lifecycle events (e.g. before/after policy load). This is disabled by default, but is available under the CONJUR_FEATURE_POLICY_LOAD_EXTENSIONS feature flag. cyberark/conjur#2671
• Conjur roles API can now emit callbacks to extensions on member add and remove events (e.g. before/after add member). This is disabled by default, but is available under the CONJUR_FEATURE_ROLES_API_EXTENSIONS feature flag. cyberark/conjur#2671

Security

• Updated nokogiri in root and docs Gemfile.lock files to resolve GHSA-2qc6-mcvw-92cw cyberark/conjur#2670