-
Notifications
You must be signed in to change notification settings - Fork 10
/
NEWS
364 lines (209 loc) · 10.3 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
* Version 2.42 (unreleased)
* Version 2.41 (released 2020-03-11)
* Redo release using the correct signing process.
* Version 2.40 (released 2020-03-03)
* Enhanced data validation to address YSA-2020-01.
* Re-indent everything according to PEAR standard.
* Version 2.39 (released 2016-11-01)
* Minor documentation fix.
* Version 2.38 (released 2016-06-08)
* Silence PHP notice when using curl handles as array keys.
* Version 2.37 (released 2016-05-17)
* Avoid PHP notices/warnings when receiving empty verify requests.
* Version 2.36 (released 2016-05-16)
* Commit to either $_GET or $_POST early in request handling.
* Use CURLINFO_EFFECTIVE_URL instead of CURLINFO_PRIVATE in synclib.
* Run tests for PHP 7.0.
* Version 2.35 (released 2016-04-19)
* Fixed install target in Makefile to include ykval-log-verify.php
* Version 2.34 (released 2016-04-18)
* Added __YKVAL_VERIFY_LOGFORMAT__ to optionally provide a
single line to log verify requests.
* ykval-synclib does parallel sync with peers.
i.e. instead of totally draining a peer queue before moving
to the next peer, we drain a bit of each peer on each run.
* Documentation fixes.
* Version 2.33 (released 2015-10-05)
* Modified a LOG_INFO message,
multiple key=val are separated by two spaces instead of one.
* Added http://127.0.0.1:80 to default ksm service.
* Refactoring and internal improvements.
* Version 2.32 (released 2015-09-14)
* Fixed erroneous log messages and whitespace output.
* Refactoring and internal improvements.
* Version 2.31 (released 2015-09-10)
* Fix issues introduced in 2.30.
* PHP Fatal error when receiving an empty sync request,
due to not initialising the logging boiler plate early enough.
* PHP Notice when writing a LOG_INFO message,
due to an incorrect sprintf argument passing.
* Version 2.30 (released 2015-09-09)
* Refactoring and internal improvements.
* Better robustness and minor performance improvements.
* Bug fixes in logging framework and message output.
* Preference towards TLS by default.
* ykval-queue exits automatically on single node configurations.
* Rewrote ksmlatency, vallatency & queuelength munin plugins.
* Munin plugins use libcurl rather than curl system binaries.
* Version 2.29 (released 2015-05-27)
* Allow curl options to be set from config file.
* Version 2.28 (released 2015-02-11)
* Refactor munin quelenegth plugin to show what is queued.
* Add ykval-nagios-queuelength.
* Use constant time string comparisson for validating HMAC signature.
* Version 2.27 (released 2014-09-25)
* Further logging updates.
* ykval-munin-responses: Make log file configurable.
* ykval-munin-ksmresponses: New munin probe.
* Version 2.26 (released 2014-09-24)
* Logging updates.
* Optimization fix in the checksum scripts.
* Documentation fixes.
* Version 2.25 (released 2014-08-18)
* Now works with 'allow_url_fopen' == false.
* Always verifies SSL peer when syncing between servers via HTTPS.
* Version 2.24 (released 2013-09-18)
* Removed space after comma in the output of ykval-gen-clients.
* Include README in tarball.
* Version 2.23 (released 2013-04-17)
* Removed initial empty line from output for all commands.
* Use LF as EOL consistently.
* Updated release procedure.
* Version 2.22 (released 2013-03-12)
* Added the ability to send yk=all to ykval-resync.php to queue sync
of all known active YubiKeys.
* Added ykval-synchronize to easily call ykval-resync.php on a remote
server.
* Added ykval-gen-clients to generate API clients.
* Log query for POST requests too.
* Version 2.21 (released 2013-02-05)
* Fixed a problem that caused ykval-queue to terminate if the database
was not available initially.
* Version 2.20 (released 2013-01-31)
* Add ChangeLog generation using git2cl.
* Changed location of files to /usr/share/yubikey-val, etc.
* Changed location of configuration files to /etc/yubico/val/.
* Made import/export scripts use comma separation, instead of tabs.
* Added a working ykval-config.php that looks for a ksm on localhost.
* Removed System_Daemon dependency and made ykval-queue a simple
backgroundable process that can be daemonized using for instance
and init.d script.
* Added man pages for executables.
* Version 2.19 (released 2012-07-05)
* Refactor database code, allowing for other underlying implementations
than PDO. Add a PDO and an Oracle (through php_oci) implementation.
Based on patch from Remi Mollon <[email protected]>
* Fix for ykval-export running on postgres.
* Add resync.php to request new sync of public id.
* Add munin plugin for statistics.
* Version 2.18 (released 2012-06-15)
* Logging misstakes that broke 2.17 fixed.
* Version 2.17 (released 2012-06-15)
* Logging improvements.
use ykval-verify/ykval-sync correctly for whole flow
clarify/degrade various logging messages
* Fix mysql error introduced in 2.14, also logs
database updated/not updated correctly.
* Accept sync for disabled keys, but still answer BAD_OTP.
* Remove from sync queue on BAD_OTP answer.
* Add munin plugin for response types.
* Version 2.16 (released 2012-06-13)
* Improved logging.
* Improved performance of large sync queues.
* Version 2.15 (released 2012-05-24)
* Add export/import scripts for clients table.
* Insert default values in $sl and $timeout if they are empty.
And they will be empty if the client didn't request them.
* Version 2.14 (released 2012-05-22)
* Add support for reconnecting to database after errors.
* Fixes for PHP warnings.
* Detect timeouts and errors in munin checks.
* Version 2.13 (released 2012-05-16)
* Fix signature checking broken in 2.12 and for dvorak OTPs.
* Fixes for ykval-checksum-clients.php
* Version 2.12 (released 2012-05-09)
* Fix using 'fast' or 'secure' as sync level.
* Fix database setup script to make nonce max 40 characters.
* Version 2.11 (released 2011-11-16)
* Silence PHP warnings. Patch from Hiroki Nose.
* Include munin scripts in tarball. From Fredrik Thulin.
* Support for DESTDIR in 'make install'. From Fredrik Thulin.
* Reorder include's to allow for dbi-settings through
ykval-config.php. From Fredrik Thulin.
* Install non-bin PHP files with --mode 644 to avoid executable bit.
From Fredrik Thulin.
* Fix two remaining non-portable uses of rowCount.
* Version 2.10 (released 2011-08-18)
* Don't echo (unsanitized) OTP/NONCE values back to client when
sending error codes. Reported by Paul van Empelen.
Resolving this problem protects (arguably buggy) clients against
an attack. Prior versions of the Yubico C and PHP clients do not
appear to exhibit this bug. We provide an analysis of the issue
below so that you can review client implementations for the
problem. Note that you do not have to fix clients if you are
using this server version (or later), although we recommend it
anyway.
If the client sends a OTP value that ends with '%0astatus=OK' the
server output will contain a line 'status=ok' before the real
status code status=MISSING_PARAMETER. Note lower-casing of the
injected status code, so that it doesn't match a correct
'status=OK' response. Note also that the OTP value would fail
normal input validation checks in the client.
If the client sends a NONCE value that ends with '%0astatus=OK'
the output will contain a line consisting of 'status=OK' before
the correct status=MISSING_PARAMETER. However, the NONCE value is
generated by client code internally and does not come from any
untrusted source, thus the impact here is limited -- if an
attacker is able to trick a client into sending a crafted NONCE
value the attacker is normally able to modify the client code
somehow, and can thus trick the client in other ways as well.
Similar issues apply to the ID field, which is normally also under
control of the trusted client code and not something an attacker
could influence.
Thus, this server-side fix solve a client-side issue that we
believe would only occur when both of these conditions are true:
1) the client does not do proper input validation of the OTP, and
2) the client incorrectly parses 'status=ok' as 'status=OK'.
or when the following condition is true
A) the client can be tricked into sending a crafted NONCE or ID
value.
* Version 2.9 (released 2011-05-09)
* Support multiple IP authorizations in ykval-revoke.php.
* Version 2.8 (released 2011-01-06)
* Support YubiKey OTPs filtered through a US Dvorak keyboard layout.
* Added ykval_-vallatency Munin probe to measure latency to other
validation instances, for both IPv4 and IPv6.
* Version 2.7 (released 2010-09-12)
* Sanity check input OTP variable to avoid any chance of SQL injections.
Reported by Ricky Zhou.
* Timestamp request and response because syslog doesn't record year
nor sub-second resolution.
* Log whether HTTPS is used or not.
* Version 2.6 (released 2010-08-02)
* Don't use rowCount in ykval-revoke, there seems to be some problem
with the rowCount function.
* Add Munin plugin to measure KSM latency and queue length.
* Version 2.5 (released 2010-05-17)
* Fix undefined warnings, issue #8.
* Don't use PDO rowCount function to get number of rows returned
because that isn't portable. Patch from arte42.ripe in issue #7
(yubikey-val-2.1-php-rowcount.patch).
* When number of sync servers equals zero, set sync result to success.
Patch from arte42.ripe in issue #7 (yubikey-val-2.1-syncres.patch).
* When there is only one KSM, use more portable code without async.
Patch from arte42.ripe in issue #7 (yubikey-val-2.1-php-curl.patch).
* Add files COPYING and AUTHORS.
* Version 2.4 (released 2010-03-16)
* Fix bug in ykval-checksum-clients.php when used with PostgreSQL.
* Version 2.3 (released 2010-03-12)
* Add ykval-checksum-clients.php, see doc/SyncMonitor.wiki.
* Version 2.2 (released 2010-02-22)
* Minor cleanups and fixes.
* Add ykval-revoke.php service, see doc/RevocationService.wiki.
* Version 2.1 (released 2010-01-29)
* Minor cleanups and fixes.
* Version 2.0 (released 2010-01-18)
* Major re-design to support a new architecture with replicated
servers.
* Version 1.1 (released 2009-11-19)
* Stable release of non-replicated server.