Skip to content
Snippets Groups Projects
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
simplesamlphp-changelog.md 60.07 KiB

SimpleSAMLphp changelog

This document lists the changes between versions of SimpleSAMLphp. See the upgrade notes for specific information about upgrading.

Version 1.14.14

Released 2017-05-05

  • Resolved a security issue with in the authcrypt module (Htpasswd authentication source) and in SimpleSAMLphp's session validation. See SSPSA 201705-01.
  • Resolved a security issue with in the multiauth module. See SSPSA 201704-02.

Version 1.14.13

Released 2017-04-27

  • Resolved a security issue with unauthenticated encryption in the SimpleSAML\Utils\Crypto class. See SSPSA 201704-01.
  • Added requirement for the Multibyte String PHP extension and the corresponding checks.
  • Set a default name for SimpleSAMLphp sessions in the configuration template for the PHP session handler.

Version 1.14.12

Released 2017-03-30

  • Resolved a security issue in the authcrypt module (Htpasswd authentication source) and in SimpleSAMLphp's session validation. See SSPSA 201703-01.
  • Resolved a security issue with IV generation in the SimpleSAML\Utils\Crypto::_aesEncrypt() method. See SSPSA 201703-02.
  • Fixed an issue with the authfacebook module, broken after a change in Facebook's API.
  • Fixed an issue in the discopower module that ignored the hide.from.discovery metadata option.
  • Fixed an issue with trusted URLs validation that prevented a URL from being accepted if a standard port was explicitly included but not specified in the configuration.
  • Fixed an issue that prevented detecting a Memcache server being down when fetching Memcache statistics.
  • Fixed an issue with operating system detection that made SimpleSAMLphp identify OSX as Windows.

Version 1.14.11

Released 2016-12-12

  • Resolved a security issue involving signature validation of SAML 1.1 messages. See SSPSA 201612-02.
  • Fixed an issue when the user identifier used to generate a persistent NameID was missing due to a misconfiguration, causing SimpleSAMLphp to generate the nameID based on the null data type.
  • Fixed an issue when persistent NameIDs were generated out of attributes with empty strings or multiple values.
  • Fixed issue #530. An empty SubjectConfirmation element was causing SimpleSAMLphp to crash. On the other hand, invalid SubjectConfirmation elements were ignored in PHP 7.0.

Version 1.14.10

Released 2016-12-02

  • Resolved a security issue involving signature validation. See SSPSA 201612-01.
  • Fixed issue #517. A misconfigured session when acting as a service provider was leading to a PHP fatal error.
  • Fixed issue #519. Prevent persistent NameIDs from being generated from empty strings.
  • Fixed issue #520. It was impossible to verify Apache's custom MD5 passwords when using the Htpasswd authentication source.
  • Fixed issue #523. Avoid problems caused by different line-ending strategies in the project files.
  • Other minor fixes and enhancements.

Version 1.14.9

Released 2016-11-10

  • Fixed an issue that resulted in PHP 7 errors being masked.
  • Fixed the smartattributes:SmartName authentication processing filter.
  • Fixed issue #500. When parsing metadata, two 'attributes.required' options were generated.
  • Fixed the list of requirements in composer, the documentation, and the configuration page.
  • Fixed issue #479. There were several minor issues with XHTML compliance.
  • Other minor fixes.

Version 1.14.8

Released 2016-08-23

  • Fixed an issue in AuthMemCookie causing it to crash when an attribute received contains XML as its value.
  • Fixed an issue in AuthMemCookie that made it impossible to set its own cookie.
  • Fixed an issue when acting as a proxy and receiving attributes that contain XML as their values.
  • Fixed an issue that led to incorrect URL guessing when a script is invoked with a URI that doesn't include its name.

Version 1.14.7

Released 2016-08-01

  • Fixed issue #424. Attributes containing XML as their values (like eduPersonTargetedID) were empty.

Version 1.14.6

Released 2016-07-18

  • Fixed issue #418. SimpleSAMLphp was unable to obtain the current URL correctly when invoked from third-party applications.

Version 1.14.5

Released 2016-07-12

  • Fixed several issues with session handling when cookies couldn't be set for some reason.
  • Fixed an issue that caused wrong URLs to be generated in the web interface under certain circumstances.
  • Fixed the exception handler to be compatible with PHP 7.
  • Fixed an issue in the dropdown IdP selection page that prevented it to work with PHP 5.3.
  • Fixed compatibility with Windows machines.
  • Fixed an issue with the PDO and Serialize metadata storage handlers.
  • Fixed the authwindowslive module. It stopped working after the former API was discontinued.
  • Other minor issues and fixes.

Version 1.14.4

Released 2016-06-08

  • Fixed two minor security issues that allowed malicious URLs to be presented to the user in a link. Reported by John Page.
  • Fixed issue #366. The LDAP class was trying to authenticate even when no password was provided (using the CAS module).
  • Fixed issue #401. The authenticate.php script was printing exceptions instead of throwing them for the exception handler to capture them.
  • Fixed issue #399. The size limitation of the TEXT type in MySQL was creating problems in certain setups.
  • Fixed issue #5. Incoherent population of the $_SERVER variable was creating broken links when running PHP with FastCGI.
  • Other typos and minor bugs: #389, #392.

Version 1.14.3

Released 2016-04-19

  • Fixed a bug in the login form that prevented the login button to be displayed in mobile devices.
  • Resolved an issue in the PHP session handler that made it impossible to use PHP sessions simultaneously with other applications.

Version 1.14.2

Released 2016-03-11

  • Use stable versions of the externalized modules to prevent possible issues when further developing them.

Version 1.14.1

Released 2016-03-08

  • Resolved an information leakage security issue in the sanitycheck module. See SSPSA 201603-01.

Version 1.14.0

Released 2016-02-15

Security

  • Resolved a security issue with multiple modules that were not validating the URLs they were redirecting to.
  • Added a security check to disable loading external entities in XML documents.
  • Enforced admin access to the metadata converter tool.
  • Changed xmlseclibs dependency to point to robrichards/xmlseclibs version 1.4.1.

New features

  • Allow setting the location of the configuration directory with an environment variable.
  • Added support for the Metadata Query Protocol by means of the new MDX metadata storage handler.
  • Added support for the Sender-Vouches method.
  • Added support for WantAssertionsSigned and AuthnRequestsSigned in SAML 2.0 SP metadata.
  • Added support for file uploads in the metadata converter.
  • Added support for setting the prefix for Memcache keys.
  • Added support for the Hide From Discovery REFEDS Entity Category.
  • Added support for the eduPersonAssurance attribute.
  • Added support for the full SCHAC 1.5.0 schema.
  • Added support for UNIX sockets when configuring memcache servers.
  • Added the SAML NameID to the attributes status page, when available.
  • Added attribute definitions for schacGender (schac), sisSchoolGrade and sisLegalGuardianFor (skolfederation.se).
  • Attributes required in metadata are now taken into account when parsing.

Bug fixes

  • Fixed an issue with friendly names in the attributes released.
  • Fixed an issue with memcache that would result in a push for every fetch, when several servers configured.
  • Fixed an issue with memcache that would result in an endless loop if all servers are down.
  • Fixed an issue with HTML escaping in error reports.
  • Fixed an issue with the 'admin.protectmetadata' option not being enforced for SP metadata.
  • Fixed an issue with SAML 1.X SSO authentications that removed the NameID of the subject from available data.
  • Fixed an issue with the login form that resulted in a NOSTATE error if the user clicked the login button twice.
  • Fixed an issue with replay detection in IdP-initiated flows.
  • Fixed an issue with SessionNotOnOrAfter that kept moving forward in the future with every SSO authentication.
  • Fixed an issue with the session cookie being set twice for the first time.
  • Fixed an issue with the XXE attack prevention mechanism conflicting with other applications running in the same server.
  • Fixed an issue that prevented the SAML 1.X IdP to restart when the session is lost.
  • Fixed an issue that prevented classes using namespaces to be loaded automatically.
  • Fixed an issue that prevented certain metadata signatures to be verified (fixed upstream in xmlseclibs).
  • Other bug fixes and numerous documentation enhancements.

API and user interface

  • Added a new and simple database class to serve as PDO interface for all the database needs.
  • Added the possibility to copy metadata and other elements by clicking a button in the web interface.
  • Removed the old, unused pack installer tool.
  • Improved usability by telling users the endpoints are not to be accessed directly.
  • Moved the hostname, port and protocol diagnostics tool to the admin directory.
  • Several classes and functions deprecated.
  • Changed the signature of several functions.
  • Deleted old and deprecated code, interfaces and endpoints.
  • Deleted old jQuery remnants.
  • Deleted the undocumented dynamic XML metadata storage handler.
  • Deleted the backwards-compatible authentication source.
  • Updated jQuery to the latest 1.8.X version.
  • Updated translations.

authcrypt

  • Added whitehat101/apr1-md5 as a dependency for Apache htpasswd.

authX509

  • Added an authentication processing filter to warn about certificate expiration.

ldap

  • Added a new port configuration option.
  • Better error reporting.

metaedit

  • Removed the admins configuration option.

metarefresh

  • Added the possibility to specify which types of entities to load.
  • Added the possibility to verify metadata signatures by using the public key present in a certificate.
  • Fix certificate precedence over fingerprint in the configuration options when verifying metadata signatures.

smartnameattribute

  • This module was deprecated long time ago and has now been removed. Use the smartattributes module instead.

Version 1.13.2

Released 2014-11-04

  • Solved performance issues when processing large metadata sets.
  • Fix an issue in the web interface when only one language is enabled.

Version 1.13.1

Released 2014-10-27

  • Solved an issue with empty fields in metadata to cause SimpleSAMLphp to fail with a translation error. Issues #97 and #114.
  • Added Basque language to the list of known languages. Issue #117.
  • Optimized the execution of redirections by removing an additional, unnecessary function call.
  • Solved an issue that caused SimpleSAMLphp to fail when the RelayState parameter was empty or missing on an IdP-initiated authentication. Issues #99 and # 104.
  • Fixed a certificate check for SubjectConfirmations with Holder of Key methods.

Version 1.13

Released 2014-09-25.

  • Added the 'remember me' option to the default login page.
  • Improved error reporting.
  • Added a new 'logging.format' option to control the formatting of the logs.
  • Added support for the 'objectguid' binary attribute in LDAP modules.
  • Added support for custom search and private attributes read credentials in all LDAP modules.
  • Added support for the WantAuthnRequestsSigned option in generated SAML metadata.
  • Tracking identifiers are no longer generated based on MD5.
  • Several functions, classes and interfaces marked as deprecated.
  • Bug fixes and documentation enhancements.
  • Updated translations.
  • New language: Basque.

adfs

  • Honour the 'wreply' parameter when redirecting.

aggregator

  • Fixed an issue when regenerating metadata from certain metadata sources.

discopower