-
Notifications
You must be signed in to change notification settings - Fork 8
Release Notes v2.152
NeySlim edited this page May 8, 2026
·
1 revision
Stable release (2026-05-08). Security and RFC-compliance hardening pass across all PKI protocols (OCSP, CRL, ACME, EST, SCEP, TSA) and resource APIs (CAs, certs, CSRs, templates, RBAC, HSM, MSCA, SSO, webhooks, discovery, audit, reports, SSH, trust store).
Smoke-tested 6/6 on SQLite and PostgreSQL across Debian (DEB), RHEL/Fedora (RPM), and Docker. 33 migrations from-scratch on PostgreSQL verified.
For the previous releases see Release Notes v2.144 and the full CHANGELOG.
- 6 RFC-compliance fixes across OCSP (6960), CRL/profile (5280), ACME (8555/8737), TSA (3161/5035), EST (7030), SCEP (8894).
- 20+ resource APIs hardened with input whitelists, validity caps, encrypted-at-rest secrets, FK-guarded deletes, and proof-of-possession checks.
- 6 ACME server bypasses closed (account binding, order ownership, authz state machine, finalize URL, key change, deactivation).
- Silent regression fixed: CA and certificate import paths now encrypt private keys at rest.
- No breaking config changes, no manual operator action required.
- One new schema migration:
033_acme_authz_order_id_nullable.py(ACME pre-authorisation per §7.4.1).
| Protocol | RFC | Fix |
|---|---|---|
| OCSP | 6960 | Mixed-format serial lookup, cache invalidation on revoke, correct keyHash, nonce bypasses cache, delegated responder must carry id-pkix-ocsp-nocheck
|
| CRL | 5280 | Mixed-format serials, no silent truncation of serials >159 bits, auto-regen of expired CRL on CDP fetch |
| Cert profile | 5280 | 5 issues fixed in CA/CSR signing paths (SKI/AKI format, BasicConstraints, EKU consistency, KU bit ordering, validity bounds) |
| ACME | 8555 / 8737 | EAB JWK match via thumbprint, JWS algorithm allowlist (asymmetric only), wildcard restricted to DNS-01, ALPN extension marked critical, case-insensitive domains; pre-authz §7.4.1 (migration 033) |
| TSA | 3161 / 5035 |
signing-certificate-v2 mandatory, body cap 64 KiB, correct PKIStatus separation |
| EST | 7030 |
serverkeygen encrypts the generated key under the client mTLS pubkey, not the issued cert |
| SCEP | 8894 | Renewal rejected when signer cert expired or not yet valid |
-
CAs / Certs / CSRs — whitelisted key params, validity capped at 3650 days, URL validation (CRL DP / AIA / OCSP / IDP), HSM key lock on bind, EC curve whitelist, CSR proof-of-possession (
is_signature_valid). -
Templates — cap
validity_days, whitelistkey_type/digest, fix import NULL. -
RBAC — reserved role names rejected (
admin/operator/viewer), permission whitelist with wildcard, system roles immutable. - SSO — PKCE (S256) + nonce on OIDC auth flow.
-
HSM — provider secrets encrypted at rest, sign payload cap 1 MiB, FK-guarded deletes; runtime
pip installopt-in viaUCM_ALLOW_RUNTIME_PIP=1(default deny). - Microsoft CA — fail-closed encryption, EOBO admin gate, audit, size caps.
- Webhooks — secret encrypted at rest, event allowlist, reserved headers locked, ≤64 events per webhook.
-
Discovery — port validation, IPv6 subnet cap (≤1024),
update_profilegated. - Audit — trusted-proxy XFF, post-cleanup integrity check.
- Reports / SSH / Trust store — param caps, principal/extension caps, PEM size cap (256 KB), sync limit 1–1000.
- EAB — HMAC keys encrypted at rest.
-
Users — self-change requires current password,
≥1 active admininvariant enforced. -
Decoder tools —
tools/decode-csrandtools/decode-certcapped at 256 KiB →413.
- Imports — CA / certificate import paths now encrypt private keys (silent regression — the previous lifecycle-mixin bypass stored base64-plain).
- 1676 backend tests + 461 frontend tests pass.
- 2 encryption tests made hermetic to host
master.key(monkeypatchMASTER_KEY_PATH). - RC validated 6/6 across DEB+RPM+Docker on both SQLite and PostgreSQL.
Drop-in replacement for v2.151. One migration (033) runs automatically at first boot.
-
Docker Hub:
docker pull neyslim/ultimate-ca-manager:2.152 -
DEB:
wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.152/ucm_2.152_all.deb -
RPM:
wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.152/ucm-2.152-1.fc43.noarch.rpm