2020-03-14 00:20:00 +01:00
|
|
|
* Version 2.42 (unreleased)
|
|
|
|
|
|
2020-03-14 00:07:47 +01:00
|
|
|
* Version 2.41 (released 2020-03-11)
|
|
|
|
|
|
|
|
|
|
* Redo release using the correct signing process.
|
|
|
|
|
|
|
|
|
|
* Version 2.40 (released 2020-03-03)
|
|
|
|
|
|
|
|
|
|
* Enhanced data validation to address YSA-2020-01.
|
|
|
|
|
|
|
|
|
|
* Re-indent everything according to PEAR standard.
|
2016-11-01 10:39:55 +01:00
|
|
|
|
2016-11-01 10:23:45 +01:00
|
|
|
* Version 2.39 (released 2016-11-01)
|
|
|
|
|
|
|
|
|
|
* Minor documentation fix.
|
2016-06-08 14:08:12 +02:00
|
|
|
|
2016-06-08 13:56:53 +02:00
|
|
|
* Version 2.38 (released 2016-06-08)
|
|
|
|
|
|
|
|
|
|
* Silence PHP notice when using curl handles as array keys.
|
2016-05-17 11:29:54 +02:00
|
|
|
|
2016-05-17 11:20:35 +02:00
|
|
|
* Version 2.37 (released 2016-05-17)
|
|
|
|
|
|
|
|
|
|
* Avoid PHP notices/warnings when receiving empty verify requests.
|
2016-05-16 15:46:31 +02:00
|
|
|
|
2016-05-16 15:36:42 +02:00
|
|
|
* Version 2.36 (released 2016-05-16)
|
|
|
|
|
|
|
|
|
|
* Commit to either $_GET or $_POST early in request handling.
|
|
|
|
|
|
|
|
|
|
* Use CURLINFO_EFFECTIVE_URL instead of CURLINFO_PRIVATE in synclib.
|
|
|
|
|
|
|
|
|
|
* Run tests for PHP 7.0.
|
2016-04-19 16:27:20 +02:00
|
|
|
|
2016-04-19 16:25:31 +02:00
|
|
|
* Version 2.35 (released 2016-04-19)
|
|
|
|
|
|
|
|
|
|
* Fixed install target in Makefile to include ykval-log-verify.php
|
2016-04-19 09:12:59 +02:00
|
|
|
|
2016-04-18 19:04:40 +02:00
|
|
|
* Version 2.34 (released 2016-04-18)
|
|
|
|
|
|
|
|
|
|
* Added __YKVAL_VERIFY_LOGFORMAT__ to optionally provide a
|
|
|
|
|
single line to log verify requests.
|
|
|
|
|
|
|
|
|
|
* ykval-synclib does parallel sync with peers.
|
|
|
|
|
i.e. instead of totally draining a peer queue before moving
|
|
|
|
|
to the next peer, we drain a bit of each peer on each run.
|
|
|
|
|
|
|
|
|
|
* Documentation fixes.
|
2015-10-05 09:16:54 +02:00
|
|
|
|
|
|
|
|
* Version 2.33 (released 2015-10-05)
|
2015-10-05 09:07:45 +02:00
|
|
|
|
|
|
|
|
* Modified a LOG_INFO message,
|
|
|
|
|
multiple key=val are separated by two spaces instead of one.
|
|
|
|
|
|
|
|
|
|
* Added http://127.0.0.1:80 to default ksm service.
|
|
|
|
|
|
|
|
|
|
* Refactoring and internal improvements.
|
2015-09-14 15:46:33 +02:00
|
|
|
|
2015-09-14 15:41:00 +02:00
|
|
|
* Version 2.32 (released 2015-09-14)
|
|
|
|
|
|
|
|
|
|
* Fixed erroneous log messages and whitespace output.
|
|
|
|
|
|
|
|
|
|
* Refactoring and internal improvements.
|
2015-09-10 11:30:10 +02:00
|
|
|
|
2015-09-10 11:17:16 +02:00
|
|
|
* Version 2.31 (released 2015-09-10)
|
2015-09-10 11:14:50 +02:00
|
|
|
|
|
|
|
|
* Fix issues introduced in 2.30.
|
|
|
|
|
|
|
|
|
|
* PHP Fatal error when receiving an empty sync request,
|
|
|
|
|
due to not initialising the logging boiler plate early enough.
|
|
|
|
|
|
|
|
|
|
* PHP Notice when writing a LOG_INFO message,
|
|
|
|
|
due to an incorrect sprintf argument passing.
|
2015-09-09 10:52:35 +02:00
|
|
|
|
2015-09-09 09:58:06 +02:00
|
|
|
* Version 2.30 (released 2015-09-09)
|
|
|
|
|
|
|
|
|
|
* Refactoring and internal improvements.
|
|
|
|
|
|
|
|
|
|
* Better robustness and minor performance improvements.
|
|
|
|
|
|
|
|
|
|
* Bug fixes in logging framework and message output.
|
|
|
|
|
|
|
|
|
|
* Preference towards TLS by default.
|
|
|
|
|
|
|
|
|
|
* ykval-queue exits automatically on single node configurations.
|
|
|
|
|
|
|
|
|
|
* Rewrote ksmlatency, vallatency & queuelength munin plugins.
|
|
|
|
|
|
|
|
|
|
* Munin plugins use libcurl rather than curl system binaries.
|
2015-05-27 13:17:15 +02:00
|
|
|
|
2015-05-27 13:06:40 +02:00
|
|
|
* Version 2.29 (released 2015-05-27)
|
|
|
|
|
|
|
|
|
|
* Allow curl options to be set from config file.
|
2015-02-11 09:43:41 +01:00
|
|
|
|
2015-02-11 09:37:18 +01:00
|
|
|
* Version 2.28 (released 2015-02-11)
|
|
|
|
|
|
|
|
|
|
* Refactor munin quelenegth plugin to show what is queued.
|
|
|
|
|
|
|
|
|
|
* Add ykval-nagios-queuelength.
|
|
|
|
|
|
|
|
|
|
* Use constant time string comparisson for validating HMAC signature.
|
2014-09-25 10:44:31 +02:00
|
|
|
|
2014-09-25 10:43:28 +02:00
|
|
|
* Version 2.27 (released 2014-09-25)
|
2014-09-24 11:14:25 +02:00
|
|
|
|
2014-09-24 18:00:43 +02:00
|
|
|
* Further logging updates.
|
|
|
|
|
|
|
|
|
|
* ykval-munin-responses: Make log file configurable.
|
|
|
|
|
|
2014-09-25 09:37:52 +02:00
|
|
|
* ykval-munin-ksmresponses: New munin probe.
|
|
|
|
|
|
2014-09-24 10:53:17 +02:00
|
|
|
* Version 2.26 (released 2014-09-24)
|
|
|
|
|
|
|
|
|
|
* Logging updates.
|
|
|
|
|
|
|
|
|
|
* Optimization fix in the checksum scripts.
|
|
|
|
|
|
|
|
|
|
* Documentation fixes.
|
2014-09-12 09:26:13 +02:00
|
|
|
|
2014-08-18 13:13:56 +02:00
|
|
|
* Version 2.25 (released 2014-08-18)
|
2014-08-18 13:13:21 +02:00
|
|
|
|
|
|
|
|
* Now works with 'allow_url_fopen' == false.
|
|
|
|
|
|
|
|
|
|
* Always verifies SSL peer when syncing between servers via HTTPS.
|
|
|
|
|
|
2013-09-18 17:10:26 +02:00
|
|
|
* Version 2.24 (released 2013-09-18)
|
2013-06-11 16:10:51 +02:00
|
|
|
|
|
|
|
|
* Removed space after comma in the output of ykval-gen-clients.
|
2013-04-17 19:03:02 +02:00
|
|
|
|
2013-09-18 17:09:37 +02:00
|
|
|
* Include README in tarball.
|
|
|
|
|
|
2013-04-17 17:26:03 +02:00
|
|
|
* Version 2.23 (released 2013-04-17)
|
2013-03-12 15:33:03 +01:00
|
|
|
|
|
|
|
|
* Removed initial empty line from output for all commands.
|
|
|
|
|
|
2013-04-17 17:24:50 +02:00
|
|
|
* Use LF as EOL consistently.
|
|
|
|
|
|
2013-04-17 17:18:53 +02:00
|
|
|
* Updated release procedure.
|
|
|
|
|
|
2013-03-12 11:40:50 +01:00
|
|
|
* Version 2.22 (released 2013-03-12)
|
2013-02-13 13:00:35 +01:00
|
|
|
|
|
|
|
|
* Added the ability to send yk=all to ykval-resync.php to queue sync
|
|
|
|
|
of all known active YubiKeys.
|
|
|
|
|
|
|
|
|
|
* Added ykval-synchronize to easily call ykval-resync.php on a remote
|
|
|
|
|
server.
|
|
|
|
|
|
2013-03-11 16:55:19 +01:00
|
|
|
* Added ykval-gen-clients to generate API clients.
|
|
|
|
|
|
2013-03-12 11:40:50 +01:00
|
|
|
* Log query for POST requests too.
|
|
|
|
|
|
2013-02-05 11:01:22 +01:00
|
|
|
* Version 2.21 (released 2013-02-05)
|
2013-01-31 14:57:04 +01:00
|
|
|
|
2013-01-31 16:35:02 +01:00
|
|
|
* Fixed a problem that caused ykval-queue to terminate if the database
|
|
|
|
|
was not available initially.
|
|
|
|
|
|
2013-02-05 10:11:18 +01:00
|
|
|
* Version 2.20 (released 2013-01-31)
|
2012-07-05 15:46:51 +02:00
|
|
|
|
2013-01-24 15:25:27 +01:00
|
|
|
* Add ChangeLog generation using git2cl.
|
|
|
|
|
|
2013-01-28 13:17:08 +01:00
|
|
|
* Changed location of files to /usr/share/yubikey-val, etc.
|
|
|
|
|
|
|
|
|
|
* Changed location of configuration files to /etc/yubico/val/.
|
|
|
|
|
|
2013-01-28 16:38:53 +01:00
|
|
|
* Made import/export scripts use comma separation, instead of tabs.
|
|
|
|
|
|
|
|
|
|
* Added a working ykval-config.php that looks for a ksm on localhost.
|
|
|
|
|
|
2013-01-29 14:53:57 +01:00
|
|
|
* Removed System_Daemon dependency and made ykval-queue a simple
|
|
|
|
|
backgroundable process that can be daemonized using for instance
|
|
|
|
|
and init.d script.
|
|
|
|
|
|
2013-01-30 16:58:07 +01:00
|
|
|
* Added man pages for executables.
|
|
|
|
|
|
2013-02-05 10:11:18 +01:00
|
|
|
* Version 2.19 (released 2012-07-05)
|
2012-06-15 15:01:52 +02:00
|
|
|
|
2012-07-05 12:51:51 +02:00
|
|
|
* Refactor database code, allowing for other underlying implementations
|
|
|
|
|
than PDO. Add a PDO and an Oracle (through php_oci) implementation.
|
|
|
|
|
Based on patch from Remi Mollon <remi.mollon@cern.ch>
|
|
|
|
|
|
2012-07-04 13:35:25 +02:00
|
|
|
* Fix for ykval-export running on postgres.
|
|
|
|
|
|
|
|
|
|
* Add resync.php to request new sync of public id.
|
|
|
|
|
|
|
|
|
|
* Add munin plugin for statistics.
|
|
|
|
|
|
2013-02-05 10:11:18 +01:00
|
|
|
* Version 2.18 (released 2012-06-15)
|
2012-06-15 15:01:52 +02:00
|
|
|
|
|
|
|
|
* Logging misstakes that broke 2.17 fixed.
|
2012-06-15 10:50:39 +02:00
|
|
|
|
2013-02-05 10:11:18 +01:00
|
|
|
* Version 2.17 (released 2012-06-15)
|
2012-06-15 10:22:26 +02:00
|
|
|
|
|
|
|
|
* Logging improvements.
|
|
|
|
|
use ykval-verify/ykval-sync correctly for whole flow
|
|
|
|
|
clarify/degrade various logging messages
|
|
|
|
|
|
|
|
|
|
* Fix mysql error introduced in 2.14, also logs
|
|
|
|
|
database updated/not updated correctly.
|
|
|
|
|
|
|
|
|
|
* Accept sync for disabled keys, but still answer BAD_OTP.
|
|
|
|
|
|
|
|
|
|
* Remove from sync queue on BAD_OTP answer.
|
|
|
|
|
|
|
|
|
|
* Add munin plugin for response types.
|
2012-06-13 09:55:42 +02:00
|
|
|
|
2013-02-05 10:11:18 +01:00
|
|
|
* Version 2.16 (released 2012-06-13)
|
2012-06-13 09:37:34 +02:00
|
|
|
|
|
|
|
|
* Improved logging.
|
|
|
|
|
|
|
|
|
|
* Improved performance of large sync queues.
|
2012-05-24 14:43:25 +02:00
|
|
|
|
2013-02-05 10:11:18 +01:00
|
|
|
* Version 2.15 (released 2012-05-24)
|
2012-05-24 14:40:17 +02:00
|
|
|
|
|
|
|
|
* Add export/import scripts for clients table.
|
|
|
|
|
|
|
|
|
|
* Insert default values in $sl and $timeout if they are empty.
|
|
|
|
|
And they will be empty if the client didn't request them.
|
2012-05-22 14:21:04 +02:00
|
|
|
|
2013-02-05 10:11:18 +01:00
|
|
|
* Version 2.14 (released 2012-05-22)
|
2012-05-22 14:19:20 +02:00
|
|
|
|
|
|
|
|
* Add support for reconnecting to database after errors.
|
|
|
|
|
|
|
|
|
|
* Fixes for PHP warnings.
|
|
|
|
|
|
|
|
|
|
* Detect timeouts and errors in munin checks.
|
2012-05-16 14:01:51 +02:00
|
|
|
|
2013-02-05 10:11:18 +01:00
|
|
|
* Version 2.13 (released 2012-05-16)
|
2012-05-16 13:55:53 +02:00
|
|
|
|
|
|
|
|
* Fix signature checking broken in 2.12 and for dvorak OTPs.
|
|
|
|
|
|
|
|
|
|
* Fixes for ykval-checksum-clients.php
|
2012-05-10 09:58:34 +02:00
|
|
|
|
2013-02-05 10:11:18 +01:00
|
|
|
* Version 2.12 (released 2012-05-09)
|
2012-05-09 09:45:15 +02:00
|
|
|
|
|
|
|
|
* Fix using 'fast' or 'secure' as sync level.
|
|
|
|
|
|
|
|
|
|
* Fix database setup script to make nonce max 40 characters.
|
2012-01-23 20:42:57 +01:00
|
|
|
|
2013-02-05 10:11:18 +01:00
|
|
|
* Version 2.11 (released 2011-11-16)
|
2011-10-25 10:10:53 +02:00
|
|
|
|
|
|
|
|
* Silence PHP warnings. Patch from Hiroki Nose.
|
|
|
|
|
|
2011-10-31 11:11:45 +01:00
|
|
|
* Include munin scripts in tarball. From Fredrik Thulin.
|
2011-10-31 08:00:41 +01:00
|
|
|
|
2011-10-31 11:11:45 +01:00
|
|
|
* Support for DESTDIR in 'make install'. From Fredrik Thulin.
|
2011-10-31 08:07:47 +01:00
|
|
|
|
2011-10-31 11:11:45 +01:00
|
|
|
* Reorder include's to allow for dbi-settings through
|
|
|
|
|
ykval-config.php. From Fredrik Thulin.
|
2011-10-31 11:11:14 +01:00
|
|
|
|
2011-11-01 12:24:45 +01:00
|
|
|
* Install non-bin PHP files with --mode 644 to avoid executable bit.
|
|
|
|
|
From Fredrik Thulin.
|
|
|
|
|
|
2011-11-14 11:28:08 +01:00
|
|
|
* Fix two remaining non-portable uses of rowCount.
|
|
|
|
|
|
2013-02-05 10:11:18 +01:00
|
|
|
* Version 2.10 (released 2011-08-18)
|
2011-08-18 14:19:15 +02:00
|
|
|
|
|
|
|
|
* Don't echo (unsanitized) OTP/NONCE values back to client when
|
|
|
|
|
sending error codes. Reported by Paul van Empelen.
|
|
|
|
|
|
|
|
|
|
Resolving this problem protects (arguably buggy) clients against
|
|
|
|
|
an attack. Prior versions of the Yubico C and PHP clients do not
|
|
|
|
|
appear to exhibit this bug. We provide an analysis of the issue
|
|
|
|
|
below so that you can review client implementations for the
|
|
|
|
|
problem. Note that you do not have to fix clients if you are
|
|
|
|
|
using this server version (or later), although we recommend it
|
|
|
|
|
anyway.
|
|
|
|
|
|
|
|
|
|
If the client sends a OTP value that ends with '%0astatus=OK' the
|
|
|
|
|
server output will contain a line 'status=ok' before the real
|
|
|
|
|
status code status=MISSING_PARAMETER. Note lower-casing of the
|
|
|
|
|
injected status code, so that it doesn't match a correct
|
|
|
|
|
'status=OK' response. Note also that the OTP value would fail
|
|
|
|
|
normal input validation checks in the client.
|
|
|
|
|
|
|
|
|
|
If the client sends a NONCE value that ends with '%0astatus=OK'
|
|
|
|
|
the output will contain a line consisting of 'status=OK' before
|
|
|
|
|
the correct status=MISSING_PARAMETER. However, the NONCE value is
|
|
|
|
|
generated by client code internally and does not come from any
|
|
|
|
|
untrusted source, thus the impact here is limited -- if an
|
|
|
|
|
attacker is able to trick a client into sending a crafted NONCE
|
|
|
|
|
value the attacker is normally able to modify the client code
|
|
|
|
|
somehow, and can thus trick the client in other ways as well.
|
|
|
|
|
Similar issues apply to the ID field, which is normally also under
|
|
|
|
|
control of the trusted client code and not something an attacker
|
|
|
|
|
could influence.
|
|
|
|
|
|
|
|
|
|
Thus, this server-side fix solve a client-side issue that we
|
|
|
|
|
believe would only occur when both of these conditions are true:
|
|
|
|
|
|
|
|
|
|
1) the client does not do proper input validation of the OTP, and
|
|
|
|
|
2) the client incorrectly parses 'status=ok' as 'status=OK'.
|
|
|
|
|
|
|
|
|
|
or when the following condition is true
|
|
|
|
|
|
|
|
|
|
A) the client can be tricked into sending a crafted NONCE or ID
|
|
|
|
|
value.
|
|
|
|
|
|
2013-02-05 10:11:18 +01:00
|
|
|
* Version 2.9 (released 2011-05-09)
|
2011-05-09 16:31:10 +02:00
|
|
|
|
|
|
|
|
* Support multiple IP authorizations in ykval-revoke.php.
|
|
|
|
|
|
2013-02-05 10:11:18 +01:00
|
|
|
* Version 2.8 (released 2011-01-06)
|
2010-09-21 10:13:36 +02:00
|
|
|
|
|
|
|
|
* Support YubiKey OTPs filtered through a US Dvorak keyboard layout.
|
|
|
|
|
|
2010-11-15 11:41:49 +01:00
|
|
|
* Added ykval_-vallatency Munin probe to measure latency to other
|
|
|
|
|
validation instances, for both IPv4 and IPv6.
|
|
|
|
|
|
2013-02-05 10:11:18 +01:00
|
|
|
* Version 2.7 (released 2010-09-12)
|
2010-08-02 16:22:07 +02:00
|
|
|
|
2010-09-12 12:39:57 +02:00
|
|
|
* Sanity check input OTP variable to avoid any chance of SQL injections.
|
|
|
|
|
Reported by Ricky Zhou.
|
|
|
|
|
|
2010-08-22 15:41:21 +02:00
|
|
|
* Timestamp request and response because syslog doesn't record year
|
|
|
|
|
nor sub-second resolution.
|
2010-08-22 15:27:46 +02:00
|
|
|
|
2010-08-22 16:38:26 +02:00
|
|
|
* Log whether HTTPS is used or not.
|
|
|
|
|
|
2013-02-05 10:11:18 +01:00
|
|
|
* Version 2.6 (released 2010-08-02)
|
2010-06-01 09:56:45 +02:00
|
|
|
|
|
|
|
|
* Don't use rowCount in ykval-revoke, there seems to be some problem
|
|
|
|
|
with the rowCount function.
|
|
|
|
|
|
2010-08-02 16:02:40 +02:00
|
|
|
* Add Munin plugin to measure KSM latency and queue length.
|
2010-06-22 22:22:12 +02:00
|
|
|
|
2013-02-05 10:11:18 +01:00
|
|
|
* Version 2.5 (released 2010-05-17)
|
2010-04-23 20:05:10 +02:00
|
|
|
|
|
|
|
|
* Fix undefined warnings, issue #8.
|
|
|
|
|
|
2010-05-17 15:20:49 +02:00
|
|
|
* Don't use PDO rowCount function to get number of rows returned
|
|
|
|
|
because that isn't portable. Patch from arte42.ripe in issue #7
|
|
|
|
|
(yubikey-val-2.1-php-rowcount.patch).
|
|
|
|
|
|
2010-05-17 15:06:06 +02:00
|
|
|
* When number of sync servers equals zero, set sync result to success.
|
2010-05-17 15:13:36 +02:00
|
|
|
Patch from arte42.ripe in issue #7 (yubikey-val-2.1-syncres.patch).
|
2010-05-17 15:06:06 +02:00
|
|
|
|
2010-05-17 15:08:48 +02:00
|
|
|
* When there is only one KSM, use more portable code without async.
|
2010-05-17 15:13:36 +02:00
|
|
|
Patch from arte42.ripe in issue #7 (yubikey-val-2.1-php-curl.patch).
|
2010-05-17 15:08:48 +02:00
|
|
|
|
2010-04-23 20:08:16 +02:00
|
|
|
* Add files COPYING and AUTHORS.
|
|
|
|
|
|
2013-02-05 10:11:18 +01:00
|
|
|
* Version 2.4 (released 2010-03-16)
|
2010-03-12 11:09:44 +01:00
|
|
|
|
|
|
|
|
* Fix bug in ykval-checksum-clients.php when used with PostgreSQL.
|
|
|
|
|
|
2013-02-05 10:11:18 +01:00
|
|
|
* Version 2.3 (released 2010-03-12)
|
2010-03-12 10:45:23 +01:00
|
|
|
|
|
|
|
|
* Add ykval-checksum-clients.php, see doc/SyncMonitor.wiki.
|
|
|
|
|
|
2013-02-05 10:11:18 +01:00
|
|
|
* Version 2.2 (released 2010-02-22)
|
2010-02-22 14:46:46 +01:00
|
|
|
|
|
|
|
|
* Minor cleanups and fixes.
|
|
|
|
|
|
|
|
|
|
* Add ykval-revoke.php service, see doc/RevocationService.wiki.
|
|
|
|
|
|
2013-02-05 10:11:18 +01:00
|
|
|
* Version 2.1 (released 2010-01-29)
|
2010-01-30 08:27:52 +01:00
|
|
|
|
|
|
|
|
* Minor cleanups and fixes.
|
|
|
|
|
|
2013-02-05 10:11:18 +01:00
|
|
|
* Version 2.0 (released 2010-01-18)
|
2010-01-19 07:50:51 +01:00
|
|
|
|
|
|
|
|
* Major re-design to support a new architecture with replicated
|
|
|
|
|
servers.
|
|
|
|
|
|
2013-02-05 10:11:18 +01:00
|
|
|
* Version 1.1 (released 2009-11-19)
|
2010-01-19 07:50:51 +01:00
|
|
|
|
|
|
|
|
* Stable release of non-replicated server.
|
