* Version 2.10 unreleased * Don't echo (unsanitized) OTP/NONCE values back to client when sending error codes. Reported by Paul van Empelen. Resolving this problem protects (arguably buggy) clients against an attack. Prior versions of the Yubico C and PHP clients do not appear to exhibit this bug. We provide an analysis of the issue below so that you can review client implementations for the problem. Note that you do not have to fix clients if you are using this server version (or later), although we recommend it anyway. If the client sends a OTP value that ends with '%0astatus=OK' the server output will contain a line 'status=ok' before the real status code status=MISSING_PARAMETER. Note lower-casing of the injected status code, so that it doesn't match a correct 'status=OK' response. Note also that the OTP value would fail normal input validation checks in the client. If the client sends a NONCE value that ends with '%0astatus=OK' the output will contain a line consisting of 'status=OK' before the correct status=MISSING_PARAMETER. However, the NONCE value is generated by client code internally and does not come from any untrusted source, thus the impact here is limited -- if an attacker is able to trick a client into sending a crafted NONCE value the attacker is normally able to modify the client code somehow, and can thus trick the client in other ways as well. Similar issues apply to the ID field, which is normally also under control of the trusted client code and not something an attacker could influence. Thus, this server-side fix solve a client-side issue that we believe would only occur when both of these conditions are true: 1) the client does not do proper input validation of the OTP, and 2) the client incorrectly parses 'status=ok' as 'status=OK'. or when the following condition is true A) the client can be tricked into sending a crafted NONCE or ID value. * Version 2.9 released 2011-05-09 * Support multiple IP authorizations in ykval-revoke.php. * Version 2.8 released 2011-01-06 * Support YubiKey OTPs filtered through a US Dvorak keyboard layout. * Added ykval_-vallatency Munin probe to measure latency to other validation instances, for both IPv4 and IPv6. * Version 2.7 released 2010-09-12 * Sanity check input OTP variable to avoid any chance of SQL injections. Reported by Ricky Zhou. * Timestamp request and response because syslog doesn't record year nor sub-second resolution. * Log whether HTTPS is used or not. * Version 2.6 released 2010-08-02 * Don't use rowCount in ykval-revoke, there seems to be some problem with the rowCount function. * Add Munin plugin to measure KSM latency and queue length. * Version 2.5 released 2010-05-17 * Fix undefined warnings, issue #8. * Don't use PDO rowCount function to get number of rows returned because that isn't portable. Patch from arte42.ripe in issue #7 (yubikey-val-2.1-php-rowcount.patch). * When number of sync servers equals zero, set sync result to success. Patch from arte42.ripe in issue #7 (yubikey-val-2.1-syncres.patch). * When there is only one KSM, use more portable code without async. Patch from arte42.ripe in issue #7 (yubikey-val-2.1-php-curl.patch). * Add files COPYING and AUTHORS. * Version 2.4 released 2010-03-16 * Fix bug in ykval-checksum-clients.php when used with PostgreSQL. * Version 2.3 released 2010-03-12 * Add ykval-checksum-clients.php, see doc/SyncMonitor.wiki. * Version 2.2 released 2010-02-22 * Minor cleanups and fixes. * Add ykval-revoke.php service, see doc/RevocationService.wiki. * Version 2.1 released 2010-01-29 * Minor cleanups and fixes. * Version 2.0 released 2010-01-18 * Major re-design to support a new architecture with replicated servers. * Version 1.1 released 2009-11-19 * Stable release of non-replicated server.