Releases: cyberark/conjur
Releases · cyberark/conjur
v1.21.3
[1.21.3] - 2024-12-16
Fixed
- Fixed an error when restoring a backup from an old version of Conjur that
contained orphaned roles (CNJR-7321)
Changed
- Redact sensitive information in the dryrun REST API response
(Roles and Resources not visible to the authenticated user). CNJR-6547
Security
- Authn-JWT: Deny access when issuer claim is missing from JWT.
Can be disabled using the authn_jwt_ignore_missing_issuer_claim config flag.
(CONJSE-1920) - Update nokogiri to 1.16.5 to address CVE-2024-34459.
CONJSE-1923 - Update puma to 6.4.3 to address CVE-2024-45614.
CONJSE-1923 - Update openid_connect to 2.3.1 to address CVE-2023-51774 in json-jwt.
CONJSE-1923 - Update rails to 6.1.7.10 to resolve: rails-html-sanitizer to resolve
CVE-2024-53986, CVE-2024-53987, and CVE-2024-53988, and actionpack to resolve
CVE-2024-54133.
CONJSE-1923
Added
- Add JSON support for the
/endpoint that returns the Conjur version
(CNJR-7245)
Added
- Adds support for Factory Pipelines
v1.21.2
[1.21.2] - 2024-11-20
Changed
- Replaces ERB template engine with Mustache when rendering Factory templates
CNJR-6700 - Modifies the REST API response of a Policy load command, when called with the
dryRunparameter, to report policy attributes that would be created by the
submitted policy.
CNJR-6999 - Modifies the REST API response of a Policy load command, when called with the
dryRunparameter, to report policy attributes that would be updated by the
submitted policy.
CNJR-6109 - Modifies the REST API response of a Policy load command, when called with the
dryRunparameter, to report policy attributes that would be deleted by the
submitted policy.
CNJR-6108
Fixed
- Updates audit events generated during Policy Factory usage.
CNJR-6891
Fixed
- Updates OIDC Authenticator to use the scope defined in configuration.
CNJR-6393 - Failed authentication requests now return without a body, only an error code.
ONYX-60466 - Fixed the ability to define Auth Token TTL in the configuration.
CNJR-6388 - Update webrick to 1.8.2 to resolve CVE-2024-47220.
CONJSE-1907
v1.21.0.1
[1.21.0.1] - 2024-06-11
Added
- Adds support for optionally prefixing user role_id with "user/" during API key authentication.
CNJR-5214
Fixed
- Fixed orphaned roles when deleting policy resources.
CONJSE-1875
Security
- Upgraded Rails to 6.1.7.8, to resolve CVE-2024-28103
v1.21.1
[1.21.1] - 2024-06-03
Added
- Added two options to the
conjurctl servercommand to start the Conjur
service:--no-rotationto disable the internal secret rotation process and
--no-authn-localto disable the internal local authentication socket server.
CNJR-3503 - Adds support for optionally prefixing user role_id with "user/" during API key authentication.
CNJR-5214 - Added endpoint for getting effective policy
CNJR-2040 - Ensure logging of all HTTP status codes during authentication.
CNJR-232
Fixed
- Dedicated user identifier resolver allowing the user identifiers work like any other resource id. The Conjur internal
representation of user identification should not be used with policies. Supports relative and absolute addressing in
case of nested policies.
CNJR-4394 - Fixed orphaned roles when deleting policy resources.
CONJSE-1875
Security
- Upgraded Rails to 6.1.7.8, to resolve CVE-2024-28103
v1.20.1
[1.20.1] - 2023-10-13
Fixed
- OIDC Authenticator now writes custom certs to a non-default directory instead
of the system default certificate store.
cyberark/conjur#2988
Added
- Support for the no_proxy & NO_PROXY environment variables for the k8s authenticator.
CNJR-2759
Security
- Upgrade google/cloud-sdk in ci/test_suites/authenticators_k8s/dev/Dockerfile/test
to use latest version (448.0.0)
cyberark/conjur#2972
v1.20.0
[1.20.0] - 2023-09-21
Fixed
- Allow Factories with optional variables to save without error
cyberark/conjur#2956 - OIDC authenticators support
https_proxyandHTTPS_PROXYenvironment variables
cyberark/conjur#2902 - Support plural syntax for revoke and deny
cyberark/conjur#2901
Added
- Support an optional
ca-certvariable for providing custom certs/chains to verify
OIDC providers or proxies when using the OIDC authenticator
cyberark/conjur#2933 - New flag to
conjurctl servercommand called--no-migratewhich allows for skipping
the database migration step when starting the server.
cyberark/conjur#2895 - Telemetry support
cyberark/conjur#2854 - Introduces support for Policy Factory, which enables resource creation
through a newfactoriesAPI.
cyberark/conjur#2855 - Use base images with newer Ubuntu and UBI.
Display FIPS Mode status in the UI (requires temporary fix for OpenSSL gem).
cyberark/conjur#2874
Changed
- The database thread pool max connection size is now based on the number of
web worker threads per process, rather than an arbitrary fixed number. This
mitigates the possibility of a web worker becoming starved while waiting for
a connection to become available.
cyberark/conjur#2875 - Changed base-image tagging strategy
cyberark/conjur#2926
Fixed
- Support Authn-IAM regional requests when host value is missing from signed headers.
cyberark/conjur#2827
Security
- Support plural syntax for revoke and deny
cyberark/conjur#2901 - Previously, attempting to add and remove a privilege in the same policy load
resulted in only the positive privilege (grant, permit) taking effect. Now we
fail safe and the negative privilege statement (revoke, deny) is the final
outcome
cyberark/conjur#2907 - Update puma to 6.3.1 to address CVE-2023-40175.
cyberark/conjur#2925
v1.19.6
[1.19.6] - 2023-07-05
Fixed
- Support Authn-IAM regional requests when host value is missing from signed headers.
cyberark/conjur#2827
v0.0.5
[0.0.5] - 2023-07-17
Security
- Use newer base images with Ubuntu 22.04, Ruby 3.2 and OpenSSL 3
cyberark/conjur#2827
v1.19.3.1
502a18a
This commit was signed with the committer’s verified signature.
andytinkham
Andy Tinkham
[1.19.3.1] - 2023-07-12
Security
- Update bundler to 2.2.33 to remove CVE-2021-43809
cyberark/conjur#2804
v1.19.5
[1.19.5] - 2023-06-29
Security
- Update bundler to 2.2.33 to remove CVE-2021-43809
cyberark/conjur#2804
Fixed
- AuthnJWT now supports claims that include hyphens and inline namespaces.
cyberark/conjur#2792 - Authn-IAM now uses the host in the signed headers to determine which STS endpoint
(global or regional) to use for validation.
Changed
- OIDC tokens will now have a default ttl of 60 mins
cyberark/conjur#2800