mirror of
https://github.com/Yubico/yubikey-val.git
synced 2024-11-29 00:24:13 +01:00
159 lines
5.1 KiB
Plaintext
159 lines
5.1 KiB
Plaintext
* Version 2.16 unreleased
|
|
|
|
* Version 2.15 released 2012-05-24
|
|
|
|
* Add export/import scripts for clients table.
|
|
|
|
* Insert default values in $sl and $timeout if they are empty.
|
|
And they will be empty if the client didn't request them.
|
|
|
|
* Version 2.14 released 2012-05-22
|
|
|
|
* Add support for reconnecting to database after errors.
|
|
|
|
* Fixes for PHP warnings.
|
|
|
|
* Detect timeouts and errors in munin checks.
|
|
|
|
* Version 2.13 released 2012-05-16
|
|
|
|
* Fix signature checking broken in 2.12 and for dvorak OTPs.
|
|
|
|
* Fixes for ykval-checksum-clients.php
|
|
|
|
* Version 2.12 released 2012-05-09
|
|
|
|
* Fix using 'fast' or 'secure' as sync level.
|
|
|
|
* Fix database setup script to make nonce max 40 characters.
|
|
|
|
* Version 2.11 released 2011-11-16
|
|
|
|
* Silence PHP warnings. Patch from Hiroki Nose.
|
|
|
|
* Include munin scripts in tarball. From Fredrik Thulin.
|
|
|
|
* Support for DESTDIR in 'make install'. From Fredrik Thulin.
|
|
|
|
* Reorder include's to allow for dbi-settings through
|
|
ykval-config.php. From Fredrik Thulin.
|
|
|
|
* Install non-bin PHP files with --mode 644 to avoid executable bit.
|
|
From Fredrik Thulin.
|
|
|
|
* Fix two remaining non-portable uses of rowCount.
|
|
|
|
* Version 2.10 released 2011-08-18
|
|
|
|
* Don't echo (unsanitized) OTP/NONCE values back to client when
|
|
sending error codes. Reported by Paul van Empelen.
|
|
|
|
Resolving this problem protects (arguably buggy) clients against
|
|
an attack. Prior versions of the Yubico C and PHP clients do not
|
|
appear to exhibit this bug. We provide an analysis of the issue
|
|
below so that you can review client implementations for the
|
|
problem. Note that you do not have to fix clients if you are
|
|
using this server version (or later), although we recommend it
|
|
anyway.
|
|
|
|
If the client sends a OTP value that ends with '%0astatus=OK' the
|
|
server output will contain a line 'status=ok' before the real
|
|
status code status=MISSING_PARAMETER. Note lower-casing of the
|
|
injected status code, so that it doesn't match a correct
|
|
'status=OK' response. Note also that the OTP value would fail
|
|
normal input validation checks in the client.
|
|
|
|
If the client sends a NONCE value that ends with '%0astatus=OK'
|
|
the output will contain a line consisting of 'status=OK' before
|
|
the correct status=MISSING_PARAMETER. However, the NONCE value is
|
|
generated by client code internally and does not come from any
|
|
untrusted source, thus the impact here is limited -- if an
|
|
attacker is able to trick a client into sending a crafted NONCE
|
|
value the attacker is normally able to modify the client code
|
|
somehow, and can thus trick the client in other ways as well.
|
|
Similar issues apply to the ID field, which is normally also under
|
|
control of the trusted client code and not something an attacker
|
|
could influence.
|
|
|
|
Thus, this server-side fix solve a client-side issue that we
|
|
believe would only occur when both of these conditions are true:
|
|
|
|
1) the client does not do proper input validation of the OTP, and
|
|
2) the client incorrectly parses 'status=ok' as 'status=OK'.
|
|
|
|
or when the following condition is true
|
|
|
|
A) the client can be tricked into sending a crafted NONCE or ID
|
|
value.
|
|
|
|
* Version 2.9 released 2011-05-09
|
|
|
|
* Support multiple IP authorizations in ykval-revoke.php.
|
|
|
|
* Version 2.8 released 2011-01-06
|
|
|
|
* Support YubiKey OTPs filtered through a US Dvorak keyboard layout.
|
|
|
|
* Added ykval_-vallatency Munin probe to measure latency to other
|
|
validation instances, for both IPv4 and IPv6.
|
|
|
|
* Version 2.7 released 2010-09-12
|
|
|
|
* Sanity check input OTP variable to avoid any chance of SQL injections.
|
|
Reported by Ricky Zhou.
|
|
|
|
* Timestamp request and response because syslog doesn't record year
|
|
nor sub-second resolution.
|
|
|
|
* Log whether HTTPS is used or not.
|
|
|
|
* Version 2.6 released 2010-08-02
|
|
|
|
* Don't use rowCount in ykval-revoke, there seems to be some problem
|
|
with the rowCount function.
|
|
|
|
* Add Munin plugin to measure KSM latency and queue length.
|
|
|
|
* Version 2.5 released 2010-05-17
|
|
|
|
* Fix undefined warnings, issue #8.
|
|
|
|
* Don't use PDO rowCount function to get number of rows returned
|
|
because that isn't portable. Patch from arte42.ripe in issue #7
|
|
(yubikey-val-2.1-php-rowcount.patch).
|
|
|
|
* When number of sync servers equals zero, set sync result to success.
|
|
Patch from arte42.ripe in issue #7 (yubikey-val-2.1-syncres.patch).
|
|
|
|
* When there is only one KSM, use more portable code without async.
|
|
Patch from arte42.ripe in issue #7 (yubikey-val-2.1-php-curl.patch).
|
|
|
|
* Add files COPYING and AUTHORS.
|
|
|
|
* Version 2.4 released 2010-03-16
|
|
|
|
* Fix bug in ykval-checksum-clients.php when used with PostgreSQL.
|
|
|
|
* Version 2.3 released 2010-03-12
|
|
|
|
* Add ykval-checksum-clients.php, see doc/SyncMonitor.wiki.
|
|
|
|
* Version 2.2 released 2010-02-22
|
|
|
|
* Minor cleanups and fixes.
|
|
|
|
* Add ykval-revoke.php service, see doc/RevocationService.wiki.
|
|
|
|
* Version 2.1 released 2010-01-29
|
|
|
|
* Minor cleanups and fixes.
|
|
|
|
* Version 2.0 released 2010-01-18
|
|
|
|
* Major re-design to support a new architecture with replicated
|
|
servers.
|
|
|
|
* Version 1.1 released 2009-11-19
|
|
|
|
* Stable release of non-replicated server.
|