2012-05-22 14:21:04 +02:00
|
|
|
* Version 2.15 unreleased
|
|
|
|
|
2012-05-22 14:19:20 +02:00
|
|
|
* Version 2.14 released 2012-05-22
|
|
|
|
|
|
|
|
* Add support for reconnecting to database after errors.
|
|
|
|
|
|
|
|
* Fixes for PHP warnings.
|
|
|
|
|
|
|
|
* Detect timeouts and errors in munin checks.
|
2012-05-16 14:01:51 +02:00
|
|
|
|
2012-05-16 13:55:53 +02:00
|
|
|
* Version 2.13 released 2012-05-16
|
|
|
|
|
|
|
|
* Fix signature checking broken in 2.12 and for dvorak OTPs.
|
|
|
|
|
|
|
|
* Fixes for ykval-checksum-clients.php
|
2012-05-10 09:58:34 +02:00
|
|
|
|
2012-05-09 09:45:15 +02:00
|
|
|
* Version 2.12 released 2012-05-09
|
|
|
|
|
|
|
|
* Fix using 'fast' or 'secure' as sync level.
|
|
|
|
|
|
|
|
* Fix database setup script to make nonce max 40 characters.
|
2012-01-23 20:42:57 +01:00
|
|
|
|
2011-11-16 19:36:34 +01:00
|
|
|
* Version 2.11 released 2011-11-16
|
2011-10-25 10:10:53 +02:00
|
|
|
|
|
|
|
* Silence PHP warnings. Patch from Hiroki Nose.
|
|
|
|
|
2011-10-31 11:11:45 +01:00
|
|
|
* Include munin scripts in tarball. From Fredrik Thulin.
|
2011-10-31 08:00:41 +01:00
|
|
|
|
2011-10-31 11:11:45 +01:00
|
|
|
* Support for DESTDIR in 'make install'. From Fredrik Thulin.
|
2011-10-31 08:07:47 +01:00
|
|
|
|
2011-10-31 11:11:45 +01:00
|
|
|
* Reorder include's to allow for dbi-settings through
|
|
|
|
ykval-config.php. From Fredrik Thulin.
|
2011-10-31 11:11:14 +01:00
|
|
|
|
2011-11-01 12:24:45 +01:00
|
|
|
* Install non-bin PHP files with --mode 644 to avoid executable bit.
|
|
|
|
From Fredrik Thulin.
|
|
|
|
|
2011-11-14 11:28:08 +01:00
|
|
|
* Fix two remaining non-portable uses of rowCount.
|
|
|
|
|
2011-08-18 14:48:32 +02:00
|
|
|
* Version 2.10 released 2011-08-18
|
2011-08-18 14:19:15 +02:00
|
|
|
|
|
|
|
* Don't echo (unsanitized) OTP/NONCE values back to client when
|
|
|
|
sending error codes. Reported by Paul van Empelen.
|
|
|
|
|
|
|
|
Resolving this problem protects (arguably buggy) clients against
|
|
|
|
an attack. Prior versions of the Yubico C and PHP clients do not
|
|
|
|
appear to exhibit this bug. We provide an analysis of the issue
|
|
|
|
below so that you can review client implementations for the
|
|
|
|
problem. Note that you do not have to fix clients if you are
|
|
|
|
using this server version (or later), although we recommend it
|
|
|
|
anyway.
|
|
|
|
|
|
|
|
If the client sends a OTP value that ends with '%0astatus=OK' the
|
|
|
|
server output will contain a line 'status=ok' before the real
|
|
|
|
status code status=MISSING_PARAMETER. Note lower-casing of the
|
|
|
|
injected status code, so that it doesn't match a correct
|
|
|
|
'status=OK' response. Note also that the OTP value would fail
|
|
|
|
normal input validation checks in the client.
|
|
|
|
|
|
|
|
If the client sends a NONCE value that ends with '%0astatus=OK'
|
|
|
|
the output will contain a line consisting of 'status=OK' before
|
|
|
|
the correct status=MISSING_PARAMETER. However, the NONCE value is
|
|
|
|
generated by client code internally and does not come from any
|
|
|
|
untrusted source, thus the impact here is limited -- if an
|
|
|
|
attacker is able to trick a client into sending a crafted NONCE
|
|
|
|
value the attacker is normally able to modify the client code
|
|
|
|
somehow, and can thus trick the client in other ways as well.
|
|
|
|
Similar issues apply to the ID field, which is normally also under
|
|
|
|
control of the trusted client code and not something an attacker
|
|
|
|
could influence.
|
|
|
|
|
|
|
|
Thus, this server-side fix solve a client-side issue that we
|
|
|
|
believe would only occur when both of these conditions are true:
|
|
|
|
|
|
|
|
1) the client does not do proper input validation of the OTP, and
|
|
|
|
2) the client incorrectly parses 'status=ok' as 'status=OK'.
|
|
|
|
|
|
|
|
or when the following condition is true
|
|
|
|
|
|
|
|
A) the client can be tricked into sending a crafted NONCE or ID
|
|
|
|
value.
|
|
|
|
|
2011-05-09 16:31:10 +02:00
|
|
|
* Version 2.9 released 2011-05-09
|
|
|
|
|
|
|
|
* Support multiple IP authorizations in ykval-revoke.php.
|
|
|
|
|
2011-01-06 22:39:35 +01:00
|
|
|
* Version 2.8 released 2011-01-06
|
2010-09-21 10:13:36 +02:00
|
|
|
|
|
|
|
* Support YubiKey OTPs filtered through a US Dvorak keyboard layout.
|
|
|
|
|
2010-11-15 11:41:49 +01:00
|
|
|
* Added ykval_-vallatency Munin probe to measure latency to other
|
|
|
|
validation instances, for both IPv4 and IPv6.
|
|
|
|
|
2010-09-12 12:44:33 +02:00
|
|
|
* Version 2.7 released 2010-09-12
|
2010-08-02 16:22:07 +02:00
|
|
|
|
2010-09-12 12:39:57 +02:00
|
|
|
* Sanity check input OTP variable to avoid any chance of SQL injections.
|
|
|
|
Reported by Ricky Zhou.
|
|
|
|
|
2010-08-22 15:41:21 +02:00
|
|
|
* Timestamp request and response because syslog doesn't record year
|
|
|
|
nor sub-second resolution.
|
2010-08-22 15:27:46 +02:00
|
|
|
|
2010-08-22 16:38:26 +02:00
|
|
|
* Log whether HTTPS is used or not.
|
|
|
|
|
2010-08-02 16:17:45 +02:00
|
|
|
* Version 2.6 released 2010-08-02
|
2010-06-01 09:56:45 +02:00
|
|
|
|
|
|
|
* Don't use rowCount in ykval-revoke, there seems to be some problem
|
|
|
|
with the rowCount function.
|
|
|
|
|
2010-08-02 16:02:40 +02:00
|
|
|
* Add Munin plugin to measure KSM latency and queue length.
|
2010-06-22 22:22:12 +02:00
|
|
|
|
2010-05-17 15:24:10 +02:00
|
|
|
* Version 2.5 released 2010-05-17
|
2010-04-23 20:05:10 +02:00
|
|
|
|
|
|
|
* Fix undefined warnings, issue #8.
|
|
|
|
|
2010-05-17 15:20:49 +02:00
|
|
|
* Don't use PDO rowCount function to get number of rows returned
|
|
|
|
because that isn't portable. Patch from arte42.ripe in issue #7
|
|
|
|
(yubikey-val-2.1-php-rowcount.patch).
|
|
|
|
|
2010-05-17 15:06:06 +02:00
|
|
|
* When number of sync servers equals zero, set sync result to success.
|
2010-05-17 15:13:36 +02:00
|
|
|
Patch from arte42.ripe in issue #7 (yubikey-val-2.1-syncres.patch).
|
2010-05-17 15:06:06 +02:00
|
|
|
|
2010-05-17 15:08:48 +02:00
|
|
|
* When there is only one KSM, use more portable code without async.
|
2010-05-17 15:13:36 +02:00
|
|
|
Patch from arte42.ripe in issue #7 (yubikey-val-2.1-php-curl.patch).
|
2010-05-17 15:08:48 +02:00
|
|
|
|
2010-04-23 20:08:16 +02:00
|
|
|
* Add files COPYING and AUTHORS.
|
|
|
|
|
2010-03-16 15:34:18 +01:00
|
|
|
* Version 2.4 released 2010-03-16
|
2010-03-12 11:09:44 +01:00
|
|
|
|
|
|
|
* Fix bug in ykval-checksum-clients.php when used with PostgreSQL.
|
|
|
|
|
2010-03-16 15:34:18 +01:00
|
|
|
* Version 2.3 released 2010-03-12
|
2010-03-12 10:45:23 +01:00
|
|
|
|
|
|
|
* Add ykval-checksum-clients.php, see doc/SyncMonitor.wiki.
|
|
|
|
|
2010-03-16 15:34:18 +01:00
|
|
|
* Version 2.2 released 2010-02-22
|
2010-02-22 14:46:46 +01:00
|
|
|
|
|
|
|
* Minor cleanups and fixes.
|
|
|
|
|
|
|
|
* Add ykval-revoke.php service, see doc/RevocationService.wiki.
|
|
|
|
|
2010-03-16 15:34:18 +01:00
|
|
|
* Version 2.1 released 2010-01-29
|
2010-01-30 08:27:52 +01:00
|
|
|
|
|
|
|
* Minor cleanups and fixes.
|
|
|
|
|
2010-03-16 15:34:18 +01:00
|
|
|
* Version 2.0 released 2010-01-18
|
2010-01-19 07:50:51 +01:00
|
|
|
|
|
|
|
* Major re-design to support a new architecture with replicated
|
|
|
|
servers.
|
|
|
|
|
2010-03-16 15:34:18 +01:00
|
|
|
* Version 1.1 released 2009-11-19
|
2010-01-19 07:50:51 +01:00
|
|
|
|
|
|
|
* Stable release of non-replicated server.
|