v52.1
Known Issue
This release introduces a breaking change around SSL hostname verification for self-signed SAML and OIDC connections that has been addressed in v52.4
The update of the httpclient dependency introduced SSL hostname verification which checks alternative names or the certificate CN to prevent man-in-the-middle attacks. This affects the following identity provider configurations, which will require the target to have a self-signed certificate with valid alternative names or certificate CN:
- OIDC identity providers during the login flow
- SAML identity providers during the SAML metadata exchange, where the metadata location is provided as an URL and not uploaded as a file
Notes
This is a security release addressing the following issues:
Additionally, UAA dependencies have been updated:
- tomcat and tomcat jdbc pool to 8.5.23
- Spring Security LDAP 2.3.2
- commons fileupload to 1.3.3
- antisamy to 1.5.7
- Apache Velocity to 2.0
- xalan to 2.7.2
- beanutils 1.9.3
- Spring Framework 4.3.11
- httpclient to 4.5.3