Updated to UAA Release 4.0.0

Updated to UAA Release 4.1.0

This is a security release addressing the following issues

• CVE-2017-4991: UAA password reset vulnerability (high severity)

Known issue

Please note that Create Account flow causes infinite redirect loop. We are working on addressing this in a patch release soon.

Breaking Changes

Starting with UAA bosh release v35 the following ERB validations have been added for OAuth Clients:

• redirect-uri is required if authorized-grant-types contains "authorization_code" or "implicit". The redirect uri must be an absolute url and begin with http or https
• secret is required if authorized-grant-types contains "authorization_code" or "password".
• scope is required if authorized-grant-types contains "authorization_code", "implicit" or "password"
• authorities is required if authorized-grant-types contains "client_credentials"
• authorized-grant-types should contain at least one of the following values : "authorization_code", "implicit", "password" , "client_credentials"

Please ensure that your UAA bosh release yml is set up properly as deployment will not proceed without these changes.