mirror of
https://github.com/Yubico/yubikey-val.git
synced 2024-11-28 15:24:14 +01:00
365 lines
10 KiB
Plaintext
365 lines
10 KiB
Plaintext
* Version 2.42 (unreleased)
|
|
|
|
* Version 2.41 (released 2020-03-11)
|
|
|
|
* Redo release using the correct signing process.
|
|
|
|
* Version 2.40 (released 2020-03-03)
|
|
|
|
* Enhanced data validation to address YSA-2020-01.
|
|
|
|
* Re-indent everything according to PEAR standard.
|
|
|
|
* Version 2.39 (released 2016-11-01)
|
|
|
|
* Minor documentation fix.
|
|
|
|
* Version 2.38 (released 2016-06-08)
|
|
|
|
* Silence PHP notice when using curl handles as array keys.
|
|
|
|
* Version 2.37 (released 2016-05-17)
|
|
|
|
* Avoid PHP notices/warnings when receiving empty verify requests.
|
|
|
|
* Version 2.36 (released 2016-05-16)
|
|
|
|
* Commit to either $_GET or $_POST early in request handling.
|
|
|
|
* Use CURLINFO_EFFECTIVE_URL instead of CURLINFO_PRIVATE in synclib.
|
|
|
|
* Run tests for PHP 7.0.
|
|
|
|
* Version 2.35 (released 2016-04-19)
|
|
|
|
* Fixed install target in Makefile to include ykval-log-verify.php
|
|
|
|
* Version 2.34 (released 2016-04-18)
|
|
|
|
* Added __YKVAL_VERIFY_LOGFORMAT__ to optionally provide a
|
|
single line to log verify requests.
|
|
|
|
* ykval-synclib does parallel sync with peers.
|
|
i.e. instead of totally draining a peer queue before moving
|
|
to the next peer, we drain a bit of each peer on each run.
|
|
|
|
* Documentation fixes.
|
|
|
|
* Version 2.33 (released 2015-10-05)
|
|
|
|
* Modified a LOG_INFO message,
|
|
multiple key=val are separated by two spaces instead of one.
|
|
|
|
* Added http://127.0.0.1:80 to default ksm service.
|
|
|
|
* Refactoring and internal improvements.
|
|
|
|
* Version 2.32 (released 2015-09-14)
|
|
|
|
* Fixed erroneous log messages and whitespace output.
|
|
|
|
* Refactoring and internal improvements.
|
|
|
|
* Version 2.31 (released 2015-09-10)
|
|
|
|
* Fix issues introduced in 2.30.
|
|
|
|
* PHP Fatal error when receiving an empty sync request,
|
|
due to not initialising the logging boiler plate early enough.
|
|
|
|
* PHP Notice when writing a LOG_INFO message,
|
|
due to an incorrect sprintf argument passing.
|
|
|
|
* Version 2.30 (released 2015-09-09)
|
|
|
|
* Refactoring and internal improvements.
|
|
|
|
* Better robustness and minor performance improvements.
|
|
|
|
* Bug fixes in logging framework and message output.
|
|
|
|
* Preference towards TLS by default.
|
|
|
|
* ykval-queue exits automatically on single node configurations.
|
|
|
|
* Rewrote ksmlatency, vallatency & queuelength munin plugins.
|
|
|
|
* Munin plugins use libcurl rather than curl system binaries.
|
|
|
|
* Version 2.29 (released 2015-05-27)
|
|
|
|
* Allow curl options to be set from config file.
|
|
|
|
* Version 2.28 (released 2015-02-11)
|
|
|
|
* Refactor munin quelenegth plugin to show what is queued.
|
|
|
|
* Add ykval-nagios-queuelength.
|
|
|
|
* Use constant time string comparisson for validating HMAC signature.
|
|
|
|
* Version 2.27 (released 2014-09-25)
|
|
|
|
* Further logging updates.
|
|
|
|
* ykval-munin-responses: Make log file configurable.
|
|
|
|
* ykval-munin-ksmresponses: New munin probe.
|
|
|
|
* Version 2.26 (released 2014-09-24)
|
|
|
|
* Logging updates.
|
|
|
|
* Optimization fix in the checksum scripts.
|
|
|
|
* Documentation fixes.
|
|
|
|
* Version 2.25 (released 2014-08-18)
|
|
|
|
* Now works with 'allow_url_fopen' == false.
|
|
|
|
* Always verifies SSL peer when syncing between servers via HTTPS.
|
|
|
|
* Version 2.24 (released 2013-09-18)
|
|
|
|
* Removed space after comma in the output of ykval-gen-clients.
|
|
|
|
* Include README in tarball.
|
|
|
|
* Version 2.23 (released 2013-04-17)
|
|
|
|
* Removed initial empty line from output for all commands.
|
|
|
|
* Use LF as EOL consistently.
|
|
|
|
* Updated release procedure.
|
|
|
|
* Version 2.22 (released 2013-03-12)
|
|
|
|
* Added the ability to send yk=all to ykval-resync.php to queue sync
|
|
of all known active YubiKeys.
|
|
|
|
* Added ykval-synchronize to easily call ykval-resync.php on a remote
|
|
server.
|
|
|
|
* Added ykval-gen-clients to generate API clients.
|
|
|
|
* Log query for POST requests too.
|
|
|
|
* Version 2.21 (released 2013-02-05)
|
|
|
|
* Fixed a problem that caused ykval-queue to terminate if the database
|
|
was not available initially.
|
|
|
|
* Version 2.20 (released 2013-01-31)
|
|
|
|
* Add ChangeLog generation using git2cl.
|
|
|
|
* Changed location of files to /usr/share/yubikey-val, etc.
|
|
|
|
* Changed location of configuration files to /etc/yubico/val/.
|
|
|
|
* Made import/export scripts use comma separation, instead of tabs.
|
|
|
|
* Added a working ykval-config.php that looks for a ksm on localhost.
|
|
|
|
* Removed System_Daemon dependency and made ykval-queue a simple
|
|
backgroundable process that can be daemonized using for instance
|
|
and init.d script.
|
|
|
|
* Added man pages for executables.
|
|
|
|
* Version 2.19 (released 2012-07-05)
|
|
|
|
* Refactor database code, allowing for other underlying implementations
|
|
than PDO. Add a PDO and an Oracle (through php_oci) implementation.
|
|
Based on patch from Remi Mollon <remi.mollon@cern.ch>
|
|
|
|
* Fix for ykval-export running on postgres.
|
|
|
|
* Add resync.php to request new sync of public id.
|
|
|
|
* Add munin plugin for statistics.
|
|
|
|
* Version 2.18 (released 2012-06-15)
|
|
|
|
* Logging misstakes that broke 2.17 fixed.
|
|
|
|
* Version 2.17 (released 2012-06-15)
|
|
|
|
* Logging improvements.
|
|
use ykval-verify/ykval-sync correctly for whole flow
|
|
clarify/degrade various logging messages
|
|
|
|
* Fix mysql error introduced in 2.14, also logs
|
|
database updated/not updated correctly.
|
|
|
|
* Accept sync for disabled keys, but still answer BAD_OTP.
|
|
|
|
* Remove from sync queue on BAD_OTP answer.
|
|
|
|
* Add munin plugin for response types.
|
|
|
|
* Version 2.16 (released 2012-06-13)
|
|
|
|
* Improved logging.
|
|
|
|
* Improved performance of large sync queues.
|
|
|
|
* Version 2.15 (released 2012-05-24)
|
|
|
|
* Add export/import scripts for clients table.
|
|
|
|
* Insert default values in $sl and $timeout if they are empty.
|
|
And they will be empty if the client didn't request them.
|
|
|
|
* Version 2.14 (released 2012-05-22)
|
|
|
|
* Add support for reconnecting to database after errors.
|
|
|
|
* Fixes for PHP warnings.
|
|
|
|
* Detect timeouts and errors in munin checks.
|
|
|
|
* Version 2.13 (released 2012-05-16)
|
|
|
|
* Fix signature checking broken in 2.12 and for dvorak OTPs.
|
|
|
|
* Fixes for ykval-checksum-clients.php
|
|
|
|
* Version 2.12 (released 2012-05-09)
|
|
|
|
* Fix using 'fast' or 'secure' as sync level.
|
|
|
|
* Fix database setup script to make nonce max 40 characters.
|
|
|
|
* Version 2.11 (released 2011-11-16)
|
|
|
|
* Silence PHP warnings. Patch from Hiroki Nose.
|
|
|
|
* Include munin scripts in tarball. From Fredrik Thulin.
|
|
|
|
* Support for DESTDIR in 'make install'. From Fredrik Thulin.
|
|
|
|
* Reorder include's to allow for dbi-settings through
|
|
ykval-config.php. From Fredrik Thulin.
|
|
|
|
* Install non-bin PHP files with --mode 644 to avoid executable bit.
|
|
From Fredrik Thulin.
|
|
|
|
* Fix two remaining non-portable uses of rowCount.
|
|
|
|
* Version 2.10 (released 2011-08-18)
|
|
|
|
* Don't echo (unsanitized) OTP/NONCE values back to client when
|
|
sending error codes. Reported by Paul van Empelen.
|
|
|
|
Resolving this problem protects (arguably buggy) clients against
|
|
an attack. Prior versions of the Yubico C and PHP clients do not
|
|
appear to exhibit this bug. We provide an analysis of the issue
|
|
below so that you can review client implementations for the
|
|
problem. Note that you do not have to fix clients if you are
|
|
using this server version (or later), although we recommend it
|
|
anyway.
|
|
|
|
If the client sends a OTP value that ends with '%0astatus=OK' the
|
|
server output will contain a line 'status=ok' before the real
|
|
status code status=MISSING_PARAMETER. Note lower-casing of the
|
|
injected status code, so that it doesn't match a correct
|
|
'status=OK' response. Note also that the OTP value would fail
|
|
normal input validation checks in the client.
|
|
|
|
If the client sends a NONCE value that ends with '%0astatus=OK'
|
|
the output will contain a line consisting of 'status=OK' before
|
|
the correct status=MISSING_PARAMETER. However, the NONCE value is
|
|
generated by client code internally and does not come from any
|
|
untrusted source, thus the impact here is limited -- if an
|
|
attacker is able to trick a client into sending a crafted NONCE
|
|
value the attacker is normally able to modify the client code
|
|
somehow, and can thus trick the client in other ways as well.
|
|
Similar issues apply to the ID field, which is normally also under
|
|
control of the trusted client code and not something an attacker
|
|
could influence.
|
|
|
|
Thus, this server-side fix solve a client-side issue that we
|
|
believe would only occur when both of these conditions are true:
|
|
|
|
1) the client does not do proper input validation of the OTP, and
|
|
2) the client incorrectly parses 'status=ok' as 'status=OK'.
|
|
|
|
or when the following condition is true
|
|
|
|
A) the client can be tricked into sending a crafted NONCE or ID
|
|
value.
|
|
|
|
* Version 2.9 (released 2011-05-09)
|
|
|
|
* Support multiple IP authorizations in ykval-revoke.php.
|
|
|
|
* Version 2.8 (released 2011-01-06)
|
|
|
|
* Support YubiKey OTPs filtered through a US Dvorak keyboard layout.
|
|
|
|
* Added ykval_-vallatency Munin probe to measure latency to other
|
|
validation instances, for both IPv4 and IPv6.
|
|
|
|
* Version 2.7 (released 2010-09-12)
|
|
|
|
* Sanity check input OTP variable to avoid any chance of SQL injections.
|
|
Reported by Ricky Zhou.
|
|
|
|
* Timestamp request and response because syslog doesn't record year
|
|
nor sub-second resolution.
|
|
|
|
* Log whether HTTPS is used or not.
|
|
|
|
* Version 2.6 (released 2010-08-02)
|
|
|
|
* Don't use rowCount in ykval-revoke, there seems to be some problem
|
|
with the rowCount function.
|
|
|
|
* Add Munin plugin to measure KSM latency and queue length.
|
|
|
|
* Version 2.5 (released 2010-05-17)
|
|
|
|
* Fix undefined warnings, issue #8.
|
|
|
|
* Don't use PDO rowCount function to get number of rows returned
|
|
because that isn't portable. Patch from arte42.ripe in issue #7
|
|
(yubikey-val-2.1-php-rowcount.patch).
|
|
|
|
* When number of sync servers equals zero, set sync result to success.
|
|
Patch from arte42.ripe in issue #7 (yubikey-val-2.1-syncres.patch).
|
|
|
|
* When there is only one KSM, use more portable code without async.
|
|
Patch from arte42.ripe in issue #7 (yubikey-val-2.1-php-curl.patch).
|
|
|
|
* Add files COPYING and AUTHORS.
|
|
|
|
* Version 2.4 (released 2010-03-16)
|
|
|
|
* Fix bug in ykval-checksum-clients.php when used with PostgreSQL.
|
|
|
|
* Version 2.3 (released 2010-03-12)
|
|
|
|
* Add ykval-checksum-clients.php, see doc/SyncMonitor.wiki.
|
|
|
|
* Version 2.2 (released 2010-02-22)
|
|
|
|
* Minor cleanups and fixes.
|
|
|
|
* Add ykval-revoke.php service, see doc/RevocationService.wiki.
|
|
|
|
* Version 2.1 (released 2010-01-29)
|
|
|
|
* Minor cleanups and fixes.
|
|
|
|
* Version 2.0 (released 2010-01-18)
|
|
|
|
* Major re-design to support a new architecture with replicated
|
|
servers.
|
|
|
|
* Version 1.1 (released 2009-11-19)
|
|
|
|
* Stable release of non-replicated server.
|