uaa

Bug Fixes

• Remove more String Passwords variables reported in the Issue #1838 (#1899)
• Map HTTP 500 RequestRejectedException into 400 (#1892)
• file paths to be quoted in gradle script (#1928)
• Use login.url for password reset email template creation (#1926)
• OIDC proxy: fix id_token mapping (#1925)
• Fix various HTTP 500 exceptions in SAML2 endpoints (#1924) (#1922) (#1913)

Features

• Mobile: allow public client option for grant_type authorization_code using PKCE with S256 method (#1888)

Dependency bumps

• Bump versions.springBootVersion from 2.6.7 to 2.7.1 (#1896) and (#1923)
• Bump tomcat for cargo 9.0.64
• Bump spring-framework-bom from 5.3.20 to 5.3.21 (#1915)
• Bump k8s.io/client-go from 0.24.0 to 0.24.2 in /k8s (#1902) (#1919)
• Bump gopkg.in/yaml.v3 3.0.0 (#1903)
• Bump spring-framework-bom from 5.3.19 to 5.3.20 (#1887)
• Bump jasmine from 4.1.0 to 4.2.0 in /uaa (#1911)
• Bump nokogiri from 1.13.5 to 1.13.6 in /uaa/slate (#1898)

Full Changelog

• https://github.com/cloudfoundry/uaa/compare/v75.20.0...v75.21.0

Bug Fixes

• Bump dependency of owasp esapi version 2.4.0.0 (#1855), CVE-2022-23457, CVE-2022-24891
• Bump versions.springBootVersion from 2.6.7 to 2.6.8 (#1895), CVE-2022-22976, CVE-2022-22978
• Bump nokogiri from 1.13.4 to 1.13.5 in /uaa/slate (#1894)

Dependency bumps

• Bump versions.springBootVersion from 2.6.7 to 2.6.8 (#1895)
• Bump dependency of owasp esapi version 2.4.0.0 (#1855)
• Bump spring-framework-bom from 5.3.19 to 5.3.20 (#1887)
• Bump nokogiri from 1.13.4 to 1.13.5 in /uaa/slate (#1894)
• Bump jasmine-core from 4.1.0 to 4.1.1 in /uaa (#1886)
• Bump greenmail from 1.6.8 to 1.6.9 (#1884)
• Bump tomcat for cargo 9.0.63
• Bump k8s.io/client-go from 0.23.6 to 0.24.0 in /k8s (#1877)
• Bump xmlsec from 2.3.0 to 3.0.0 (#1876)
• Bump javase from 3.4.1 to 3.5.0 (#1872)

Full Changelog

• https://github.com/cloudfoundry/uaa/compare/v75.19.0...v75.20.0

Bug Fixes

• Bump spring-framework-bom from 5.3.18 to 5.3.19 (#1836), CVE-2022-22968
• Bump spring-security-oauth2 from 2.5.1.RELEASE to 2.5.2.RELEASE (#1840), CVE-2022-22969
• XML External Entity (XXE) fixes reported from Sonar, https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
• Removed deprecated gradle plugins (#1850)

Code Quality

• Enabled github actions for static code checks, e.g. Sonarcloud

Dependency bumps

• Bump versions.springBootVersion from 2.6.6 to 2.6.7 (#1844)
• Bump versions.bouncyCastleVersion from 1.70 to 1.71 (#1845)
• Bump k8s.io from 0.22.8 to 0.23.6 in /k8s (#1843)
• Bump spring-framework-bom from 5.3.18 to 5.3.19 (#1836)
• Bump tomcat for cargo 9.0.62
• Bump nokogiri from 1.13.2 to 1.13.4 in /uaa/slate (#1835)
• Bump jasmine-core from 4.0.1 to 4.1.0 in /uaa (#1833)
• Bump jasmine from 4.0.2 to 4.1.0 in /uaa (#1834)
• Bump greenmail from 1.6.7 to 1.6.8 (#1830)

Full Changelog

• https://github.com/cloudfoundry/uaa/compare/v75.18.0...v75.19.0

CVE-2022-22965 Bug Fixes

• Bump spring-framework-bom from 5.3.17 to 5.3.18 (#1826)
• Bump versions.springBootVersion from 2.6.5 to 2.6.6 (#1827)

Full Changelog

• https://github.com/cloudfoundry/uaa/compare/v75.17.0...v75.18.0

Bug Fixes

• Fix: do not rely on default signature algorithms (#1813)
• Bump jackson-databind only to 2.13.2.2, solves CVE-2020-36518 (#1825)

Dependency bumps

• Bump versions.springBootVersion from 2.6.4 to 2.6.5 (#1820)
• Bump json from 20211205 to 20220320 (#1815)
• Bump k8s version 0.22.8 (#1814)
• Bump spring-framework-bom from 5.3.16 to 5.3.17 (#1812)
• Bump trim-newlines to 4.0.2 (#1808)
• Bump tomcat for cargo 9.0.60
• Bump github.com/onsi/gomega from 1.18.1 to 1.19.0 in /k8s (#1823)

Full Changelog

• https://github.com/cloudfoundry/uaa/compare/v75.16.0...v75.17.0

Bug Fixes

• Fix SAML Idp login check (#1794)
• Cleanup thymeleaf dependency management (#1806)

Dependency bumps

• Bump versions.springBootVersion from 2.6.3 to 2.6.4 (#1802) see changelog
• Bump spring-framework-bom from 5.3.15 to 5.3.16 (#1795)
• Bump greenmail from 1.6.5 to 1.6.7 (#1801)(#1805)
• Bump versions.guavaVersion from 31.0.1-jre to 31.1-jre (#1804)
• Bump org.eclipse.jgit from 6.0.0.202111291000-r to 6.1.0.202203080745-r (#1807)
• Bump nokogiri from 1.12.5 to 1.13.2 in /uaa/slate (#1803)

Full Changelog

• https://github.com/cloudfoundry/uaa/compare/v75.15.0...v75.16.0

Features

• Add group mapping mode AS_SCOPES for OIDC IdPs (#1737)
• Spring Boot Major Upgrade 2.4.13 to 2.6.3 (#1725) (#1779)

Bug Fixes

• Junit tests fix (#1764)
• Retry in junit run (#1773)
• Simplify HTTP method matching (#1789)

Dependency bumps

• XercesImpl update 2.12.2 (#1786), see CVE
• Spring Boot 2.6.3(#1725) (#1779) , see changelog
• Spring Framework 5.3.15
• Tomcat 9.0.58, see Security Fixes
• Gradle 6.9.2
• ThymeleafVersion 3.0.15 (#1787)

Full Changelog

• https://github.com/cloudfoundry/uaa/compare/v75.14.0...v75.15.0

Dependency Bumps

• Bumps various dependencies
• update library json (#1754)

Bug Fixes

• Redirect URIs with commas are badly treated upon creating Oauth2 client (#1766)

Security Fixes

• Addresses CVE with Log4j library and its prior incomplete fix by bumping to log4j2 2.17.1
• Upgrades Newrelic to version 7.5.0
• Fixes an issue where the previous fix for CVE-2021-22098 can be bypassed by using multiple '@' chars in the redirect URI for some endpoints PR

Dependency Bumps

• Bumps various dependencies

Security Fixes

• Addresses CVE with Log4j library and its prior incomplete fix by bumping to log4j2 2.17.0
• Upgrades Newrelic to version 7.4.3

Disclaimer: Please do not use this version but 75.13.0, because of recommandation from github and apache

Changelog

Dependency Bumps

• Bumps various dependencies

Security Fixes

• Addresses CVE with Log4j library and its prior incomplete fix by bumping to log4j2 2.16.0
• Addresses CVE with Apache MINA
• Upgrades Newrelic to version 7.4.2

Disclaimer: Please do not use this version but 75.13.0, because of recommandation from github and apache

Changelog

Dependency Bumps

• Bumps various dependencies

Bug Fixes

• fix: read logoutUrl from yaml (#1736)

Security Fixes

• Addresses CVE with Log4j library

Features

• JWT header deserializer (#1710)
• Updated OIDC related documentation parts (#1726)
• Migration tests from JUnit4 to JUnit5 - first iteration (#1685)

Bug Fixes

• Ensure that application/json is set as mediatype (#1731)
• Postgresql: Add "FOR UPDATE SKIP LOCKED" DeleteExpiredQuery (#1719)
• Fix error mapping /error (#1716)
• Bump xmlsec from 2.2.3 to 2.3.0 due to CVE-2021-40690 (#1711)
• Bump thymeleaf-spring5 to 3.0.13.RELEASE due to CVE-2021-43466

Dependency bumps

• Spring Boot 2.4.13
• Spring Framework 5.3.13
• Tomcat 9.0.55
• K8s.io 0.22.4
• Gradle 6.9.1

Features

• Validate id_token_hint in end_session_endpoint (#1693)

Bug Fixes

• Increase randomness of authcode (#1700)
• Bump xmlsec library 1.5.8 to 2.2.3 (#1689)

Dependency bumps

• Spring boot 2.4.12
• Tomcat 9.0.54
• K8s.io

Features

• Support logout for OpenId proxy mode (#1668)
• Client creation endpoint with two secrets (#1636)

Bug Fixes

• Add Vendor specific statements to retrieve authorities for user (#1652)
• Postgresql: add lower index for user db (#1663)

Dependency bumps

• Spring boot 2.4.11
• Tomcat 9.0.54
• jakarta.el 3.0.4 (#1661)
• K8s.io

Features

• Passcode page with clipboard icon (#1643)
• Increase authorization code size (#1615)

Bug Fixes

• Prevent unallowed error messages (#1630)

Dependency bumps

• Spring boot 2.4.10 (#1657)
• Tomcat 9.0.52 (#1615)
• Jaxb runtime switched (#1644)
• Change and update mail library (#1614)
• K8s.io

Features

• Invitation: Do not expire invitations on GET requests (#1128)
• PKCE support in IDP (OIDC) proxy authorization flow (#1606)

Bug Fixes

• Fix bug with origin chooser and selected allowed provider configuration (#1624)
• Protect redirect URl from path traversals (#1613)

Dependency bumps

• JQuery (#1618)
• Font-Awesome (#1617)
• Passay version 1.6.1 (#1612)
• Spring (#1611)
• Bump commons-io from 2.10.0 to 2.11.0 (#1616)
• K8s.io

Features

• Add PKCE support (#939)

Bug Fixes

• URL cache: Return existing records on update failure (#1565)
• Open Redirect Security Issue via some UAA endpoints
• Well-known endpoint: BigInteger encoding fixed (#1579)
• Add workaround for revoke access dialog from issue #1036 (#1254)
• Add property option for mail.smtp.ssl.protocols (#1605)

Dependency bumps

• Guava 30.1.1-jre
• Tomcat 9.0.50

Features

• Implement support for Github OAuth 2.0 provider (#1463)
• Allow to use Account Chooser without Idp Discovery (#1550)
• Cargo start: Set startStopTimeout to be configurable (#1594)
• Performance optimation: Prevent expensive duplicate key exception (#1562)
• Performance optimation: Refactor: query minimal user information everywhere authorities (#1322)
• Gradle: Add '-Xdebug' jvm args to application container run in cargo if ' (#1592)

Dependency bumps

• Bump Spring Dependencies (#1591)
• Bump Guava (#1581)
• Other misc dependencies

Features

• Small improvements for the consent form (#1561)

Bug Fixes

• Fix issue #1584
• Fix an issue where UAA cannot handle refresh tokens with expiration time after the year 2037
• Fix an issue where UAA cannot handle refresh tokens issued after the year 2037
• Fix a CVE where the delete-identity-provider endpoint's response may contain secrets

Dependency bumps

• Bump Spring Dependencies (#1577)
• Bump bouncyCastleVersion from 1.68 to 1.69
• Other misc dependencies

Dependency Bumps

• Bump tomcat-embed-core to 9.0.45 in /samples/api (#1544)
• Bump tomcat-embed-core to 9.0.45 in /server (#1545)
• Bump tomcat-embed-core to 9.0.45 in /samples/app (#1546)
• Bump tomcat-embed-core to 9.0.45 in /statsd (#1547)
• Bump bcprov-jdk15on to 1.67 in /server (#1564)
• Misc dependency updates (spring boot 2.4.5, spring framework 5.3.6, tomcat 9.0.45) (#1548) (#1559)

Fixes

• Fixes #1530
• Fixes #1566