-
Notifications
You must be signed in to change notification settings - Fork 8
Release Notes v2.52
NeySlim edited this page Mar 2, 2026
·
1 revision
Release Date: 2025-07-14
Previous Version: v2.51
Download: GitHub Releases
- 🔍 Certificate Discovery — Network scanner to find, track, and manage TLS certificates across your infrastructure
- 🛡️ Security Hardening — 15 findings resolved: SSRF protection, brute-force lockouts, audit logging, encrypted secrets
- 🔒 Error Response Sanitization — ~150 API error responses no longer expose internal details
- Network Certificate Scanner — Scan hosts, IPs, and CIDR subnets for TLS certificates
- Quick Scan — Instant scan without saving a profile; enter targets and ports inline
- Scan Profiles — Save and manage reusable scan configurations with targets, ports, worker count
- Discovered Certificates Inventory — Track all found certs with managed/unmanaged/error/expired status
- Scan History — Browse past scan runs with duration, found/new/changed/error counts
- CSV & JSON Export — Export discovered certificates with all metadata
- SNI Probing — Multi-hostname TLS handshake (PTR, target, bare IP) for maximum coverage
- SAN Extraction — Extracts all Subject Alternative Names from discovered certificates
- Bulk DNS Resolution — Parallel PTR lookups for IP-based targets
- WebSocket Progress — Real-time scan progress updates in the UI
- Split-View Layout — Table + detail panel side-by-side for discovered certs, profiles, and history
- Clickable Stats — Click stat cards to filter the table (managed, unmanaged, expired, errors)
- Error Visibility — Scan errors shown in results with troubleshooting hints
- SSRF Protection — Blocks scanning of loopback, link-local, multicast, and reserved IPs
- DNS Rebinding Protection — PTR hostname validated with forward DNS resolution
- 2FA Brute-Force Protection — 5 attempt limit with 15-minute lockout for TOTP verification
- WebAuthn Brute-Force Protection — Same lockout pattern for FIDO2/WebAuthn verification
- User Enumeration Prevention — Generic error messages for WebAuthn credential lookup
- SSO Audit Logging — OAuth2 and SAML login success/failure events logged to audit trail
- LDAP Audit Logging — LDAP authentication attempts logged with success/failure
- LDAP Password Encryption — LDAP bind passwords encrypted at rest with master key
-
mTLS Trusted Proxies —
UCM_TRUSTED_PROXIESenv var limits which reverse proxies can inject client certs - SSO Rate Limiting — OAuth2 callback and LDAP login endpoints rate-limited
- Discovery Input Validation — Target format regex, port range validation (1–65535), field length limits
-
Error Responses — ~150 API error responses no longer expose internal details (
str(e)→ generic messages) - UI Density — Discovery page uses modern split-view layout consistent with other pages
- 15 security findings identified and resolved (2 CRITICAL, 6 HIGH, 5 MEDIUM, 2 LOW)
- All findings verified with functional tests (SSRF blocked, XSS rejected, invalid ports sanitized)
- EST Management Page — Config, stats, and endpoint info
- Certificate Unhold — New endpoint to release held certificates
- System Status Badges — Enriched badges for ACME, SCEP, EST, OCSP, CRL, Auto-Renewal, SMTP, Webhooks
- WebSocket Real-Time Updates — Live push notifications for certificate events
- Accordion Sidebar — Collapsible navigation with grouped menu sections
- CSR Generation Form — Generate certificate signing requests from the UI
- Enhanced Certificate Issuance — Improved certificate issuance form with better validation
- Global UI Density — Harmonized spacing and layout across all pages
- No breaking API changes
- Database migration adds discovery tables (auto-applied on startup)
- New environment variable:
UCM_TRUSTED_PROXIES(optional, for mTLS reverse proxy setups) - Frontend assets are rebuilt — clear browser cache after upgrade
- LDAP bind passwords will be automatically encrypted on first startup after upgrade