Releases: babelouest/glewlwyd
Releases · babelouest/glewlwyd
Release 2.7.6
11f57ec
This commit was signed with the committer’s verified signature.
babelouest
Nicolas Mora
- Minor bugfixes and improvements
- Improve e-mail scheme security model by adding a mutex lock when generating codes, and adding a code prefix sent in the trigger method to mitigate stolen codes
- Update cmake script for a cleaner build
- Add config values
user_backend_api_run_enabled,user_middleware_backend_api_run_enabled,client_backend_api_run_enabled,scheme_api_run_enabledto list authorized backend or schemes for a Glewlwyd instance - Add config value
originating_ip_headerto specify the header value containg the originating IP address, if any - Add config values
response_body_limitandmax_headerto limit download sizes when relevant - Rework Docker files to build from source instead of downloading packages from github
- cmake: split package build options in 3 (tar.gz, deb and rpm), and set all packages build to off by default
- Security: Fix possible buffer overflow in webauthn attestation
Release 2.7.5
fc56978
This commit was signed with the committer’s verified signature.
babelouest
Nicolas Mora
- Build with flag
-Wconversion
Release 2.7.4
06a1c1a
This commit was signed with the committer’s verified signature.
babelouest
Nicolas Mora
- Minor bugfixes
Release 2.7.3
67d3eec
This commit was signed with the committer’s verified signature.
babelouest
Nicolas Mora
This release contains a security fix in the library rhonabwy. If you allow encrypted tokens using RSA-OAEP algorithms, please upgrade your Glewlwyd version.
- Enforce client public key verification on registration
- Add config value
login_api_enabledto enable/disable authentication APIs - Add config value
plugin_api_run_enabledto list authorized plugins for a Glewlwyd instance - Minor bugfixes
Release 2.7.2
d17b461
This commit was signed with the committer’s verified signature.
babelouest
Nicolas Mora
- Improve security verification
- Add config value
response_allowed_compressionto enable/disable API response compression - Breaking: Add config value
admin_session_authenticationto enable/disable admin API authentication methods, API key is disabled by default - Add config value
profile_session_authenticationto enable/disable user profile API authentication methods - Add config value
allow_multiple_user_per_sessionto enable/disable multiple users per session
Release 2.7.1
415e5c3
This commit was signed with the committer’s verified signature.
babelouest
Nicolas Mora
- Allow to disable static files server
- Allow to send an e-mail on password change or scheme registration
- Add additional CORS related header configuration
- Add config values
cookie_same_siteandmax_post_size - Add additional-parameters to access tokens for client authorization
- Improve resource parameter in OIDC plugin, remove resource change allowed option
- If enc algorithms is restricted, show only allowed algorithms in discovery endpoint, and forbid to use these algorithms in client registration
- Security: Fix deprecated
glewlwyd_resource.cbug with token verification
Release 2.7.0
c948baf
This commit was signed with the committer’s verified signature.
babelouest
Nicolas Mora
The "Third dose Release"
- Bugfixes
- Fix delegation session
- Add SMTP configuration template
- Allow to send an e-mail to an account when a new connection occurs
- Allow to fetch a geolocation API to improve the
issued_forrecords - Fix oidc plugin bug: allow to add the
usernameas claim in the access token - Improve OIDC DPoP implementation to Draft 07
- Front-end: Remove polyfill build script
- Fix Rich Authorization Requests and update its implementation to Draft 11
- Allow Import/Export users/clients/modules/plugins in the UI
- UI Improvements
- Security: Fix directory traversal bug (CVE-2022-29967)
Release 2.6.2
d147ccd
This commit was signed with the committer’s verified signature.
babelouest
Nicolas Mora
This is a security release, if you use the webauthn scheme, please upgrade your Glewlwyd version.
- Security: Fix possible buffer overflow in webauthn assertion (CVE-2022-27240)
Release 2.6.1
a7ddc5b
This commit was signed with the committer’s verified signature.
babelouest
Nicolas Mora
This is a security release, please upgrade your Glewlwyd version.
- Fix bug in OTP registration
- Fix several UI bugs
- Improve user registration UI and OTP scheme registration
- Add callback function
plugin_user_revokein plugins - Add config file option
add_x_frame_option_header_denyto allow removing headerX-Frame-Options: deny - Security: Fix escalation bug (CVE-2021-45379)
Release 2.6.0
53df83f
This commit was signed with the committer’s verified signature.
babelouest
Nicolas Mora
The "Green Zone Release"
- Add option to forbid a scheme to be registered in the profile and/or the reset credentials pages
- Add prometheus metrics endpoint
- Improve security when updating modules
- Allow to force PKCE all the time or when use specified scopes
- Implement Client-Initiated Backchannel Authentication Flow
- Implement OAuth 2.0 Authorization Server Issuer Identification
- Improve IETF strict option in OIDC plugin by handling signatures and encryption properties
- User registration: suggest a new username when a username exists
- Allow to remove all sessions and/or revoke all tokens
- Implement OpenID Connect Front-Channel Logout 1.0 - draft 04
- Implement OpenID Connect Back-Channel Logout 1.0 - draft 06
- Upgrade DPoP implementation to draft 4.0