-
Eric Heydrick authoredEric Heydrick authored
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
simplesamlphp-changelog.md 60.07 KiB
SimpleSAMLphp changelog
This document lists the changes between versions of SimpleSAMLphp. See the upgrade notes for specific information about upgrading.
Version 1.14.14
Released 2017-05-05
- Resolved a security issue with in the authcrypt module (Htpasswd authentication source) and in SimpleSAMLphp's session validation. See SSPSA 201705-01.
- Resolved a security issue with in the multiauth module. See SSPSA 201704-02.
Version 1.14.13
Released 2017-04-27
- Resolved a security issue with unauthenticated encryption in the SimpleSAML\Utils\Crypto class. See SSPSA 201704-01.
- Added requirement for the Multibyte String PHP extension and the corresponding checks.
- Set a default name for SimpleSAMLphp sessions in the configuration template for the PHP session handler.
Version 1.14.12
Released 2017-03-30
- Resolved a security issue in the authcrypt module (Htpasswd authentication source) and in SimpleSAMLphp's session validation. See SSPSA 201703-01.
- Resolved a security issue with IV generation in the
SimpleSAML\Utils\Crypto::_aesEncrypt()
method. See SSPSA 201703-02. - Fixed an issue with the authfacebook module, broken after a change in Facebook's API.
- Fixed an issue in the discopower module that ignored the
hide.from.discovery
metadata option. - Fixed an issue with trusted URLs validation that prevented a URL from being accepted if a standard port was explicitly included but not specified in the configuration.
- Fixed an issue that prevented detecting a Memcache server being down when fetching Memcache statistics.
- Fixed an issue with operating system detection that made SimpleSAMLphp identify OSX as Windows.
Version 1.14.11
Released 2016-12-12
- Resolved a security issue involving signature validation of SAML 1.1 messages. See SSPSA 201612-02.
- Fixed an issue when the user identifier used to generate a persistent NameID was missing due to a misconfiguration, causing SimpleSAMLphp to generate the nameID based on the null data type.
- Fixed an issue when persistent NameIDs were generated out of attributes with empty strings or multiple values.
- Fixed issue #530. An empty SubjectConfirmation element was causing SimpleSAMLphp to crash. On the other hand, invalid SubjectConfirmation elements were ignored in PHP 7.0.
Version 1.14.10
Released 2016-12-02
- Resolved a security issue involving signature validation. See SSPSA 201612-01.
- Fixed issue #517. A misconfigured session when acting as a service provider was leading to a PHP fatal error.
- Fixed issue #519. Prevent persistent NameIDs from being generated from empty strings.
- Fixed issue #520. It was impossible to verify Apache's custom MD5 passwords when using the Htpasswd authentication source.
- Fixed issue #523. Avoid problems caused by different line-ending strategies in the project files.
- Other minor fixes and enhancements.
Version 1.14.9
Released 2016-11-10
- Fixed an issue that resulted in PHP 7 errors being masked.
- Fixed the smartattributes:SmartName authentication processing filter.
- Fixed issue #500. When parsing metadata, two 'attributes.required' options were generated.
- Fixed the list of requirements in composer, the documentation, and the configuration page.
- Fixed issue #479. There were several minor issues with XHTML compliance.
- Other minor fixes.
Version 1.14.8
Released 2016-08-23
- Fixed an issue in AuthMemCookie causing it to crash when an attribute received contains XML as its value.
- Fixed an issue in AuthMemCookie that made it impossible to set its own cookie.
- Fixed an issue when acting as a proxy and receiving attributes that contain XML as their values.
- Fixed an issue that led to incorrect URL guessing when a script is invoked with a URI that doesn't include its name.
Version 1.14.7
Released 2016-08-01
- Fixed issue #424. Attributes containing XML as their values (like eduPersonTargetedID) were empty.
Version 1.14.6
Released 2016-07-18
- Fixed issue #418. SimpleSAMLphp was unable to obtain the current URL correctly when invoked from third-party applications.
Version 1.14.5
Released 2016-07-12
- Fixed several issues with session handling when cookies couldn't be set for some reason.
- Fixed an issue that caused wrong URLs to be generated in the web interface under certain circumstances.
- Fixed the exception handler to be compatible with PHP 7.
- Fixed an issue in the dropdown IdP selection page that prevented it to work with PHP 5.3.
- Fixed compatibility with Windows machines.
- Fixed an issue with the PDO and Serialize metadata storage handlers.
- Fixed the authwindowslive module. It stopped working after the former API was discontinued.
- Other minor issues and fixes.
Version 1.14.4
Released 2016-06-08
- Fixed two minor security issues that allowed malicious URLs to be presented to the user in a link. Reported by John Page.
- Fixed issue #366. The LDAP class was trying to authenticate even when no password was provided (using the CAS module).
- Fixed issue #401. The authenticate.php script was printing exceptions instead of throwing them for the exception handler to capture them.
- Fixed issue #399. The size limitation of the TEXT type in MySQL was creating problems in certain setups.
- Fixed issue #5. Incoherent population of the $_SERVER variable was creating broken links when running PHP with FastCGI.
- Other typos and minor bugs: #389, #392.
Version 1.14.3
Released 2016-04-19
- Fixed a bug in the login form that prevented the login button to be displayed in mobile devices.
- Resolved an issue in the PHP session handler that made it impossible to use PHP sessions simultaneously with other applications.
Version 1.14.2
Released 2016-03-11
- Use stable versions of the externalized modules to prevent possible issues when further developing them.
Version 1.14.1
Released 2016-03-08
- Resolved an information leakage security issue in the sanitycheck module. See SSPSA 201603-01.
Version 1.14.0
Released 2016-02-15
Security
- Resolved a security issue with multiple modules that were not validating the URLs they were redirecting to.
- Added a security check to disable loading external entities in XML documents.
- Enforced admin access to the metadata converter tool.
- Changed
xmlseclibs
dependency to point torobrichards/xmlseclibs
version 1.4.1.
New features
- Allow setting the location of the configuration directory with an environment variable.
- Added support for the Metadata Query Protocol by means of the new MDX metadata storage handler.
- Added support for the Sender-Vouches method.
- Added support for WantAssertionsSigned and AuthnRequestsSigned in SAML 2.0 SP metadata.
- Added support for file uploads in the metadata converter.
- Added support for setting the prefix for Memcache keys.
- Added support for the Hide From Discovery REFEDS Entity Category.
- Added support for the eduPersonAssurance attribute.
- Added support for the full SCHAC 1.5.0 schema.
- Added support for UNIX sockets when configuring memcache servers.
- Added the SAML NameID to the attributes status page, when available.
- Added attribute definitions for schacGender (schac), sisSchoolGrade and sisLegalGuardianFor (skolfederation.se).
- Attributes required in metadata are now taken into account when parsing.
Bug fixes
- Fixed an issue with friendly names in the attributes released.
- Fixed an issue with memcache that would result in a push for every fetch, when several servers configured.
- Fixed an issue with memcache that would result in an endless loop if all servers are down.
- Fixed an issue with HTML escaping in error reports.
- Fixed an issue with the 'admin.protectmetadata' option not being enforced for SP metadata.
- Fixed an issue with SAML 1.X SSO authentications that removed the NameID of the subject from available data.
- Fixed an issue with the login form that resulted in a
NOSTATE
error if the user clicked the login button twice. - Fixed an issue with replay detection in IdP-initiated flows.
- Fixed an issue with SessionNotOnOrAfter that kept moving forward in the future with every SSO authentication.
- Fixed an issue with the session cookie being set twice for the first time.
- Fixed an issue with the XXE attack prevention mechanism conflicting with other applications running in the same server.
- Fixed an issue that prevented the SAML 1.X IdP to restart when the session is lost.
- Fixed an issue that prevented classes using namespaces to be loaded automatically.
- Fixed an issue that prevented certain metadata signatures to be verified (fixed upstream in
xmlseclibs
). - Other bug fixes and numerous documentation enhancements.
API and user interface
- Added a new and simple database class to serve as PDO interface for all the database needs.
- Added the possibility to copy metadata and other elements by clicking a button in the web interface.
- Removed the old, unused
pack
installer tool. - Improved usability by telling users the endpoints are not to be accessed directly.
- Moved the hostname, port and protocol diagnostics tool to the admin directory.
- Several classes and functions deprecated.
- Changed the signature of several functions.
- Deleted old and deprecated code, interfaces and endpoints.
- Deleted old jQuery remnants.
- Deleted the undocumented dynamic XML metadata storage handler.
- Deleted the backwards-compatible authentication source.
- Updated jQuery to the latest 1.8.X version.
- Updated translations.
authcrypt
- Added whitehat101/apr1-md5 as a dependency for Apache htpasswd.
authX509
- Added an authentication processing filter to warn about certificate expiration.
ldap
- Added a new
port
configuration option. - Better error reporting.
metaedit
- Removed the
admins
configuration option.
metarefresh
- Added the possibility to specify which types of entities to load.
- Added the possibility to verify metadata signatures by using the public key present in a certificate.
- Fix
certificate
precedence overfingerprint
in the configuration options when verifying metadata signatures.
smartnameattribute
- This module was deprecated long time ago and has now been removed. Use the
smartattributes
module instead.
Version 1.13.2
Released 2014-11-04
- Solved performance issues when processing large metadata sets.
- Fix an issue in the web interface when only one language is enabled.
Version 1.13.1
Released 2014-10-27
- Solved an issue with empty fields in metadata to cause SimpleSAMLphp to fail with a translation error. Issues #97 and #114.
- Added Basque language to the list of known languages. Issue #117.
- Optimized the execution of redirections by removing an additional, unnecessary function call.
- Solved an issue that caused SimpleSAMLphp to fail when the RelayState parameter was empty or missing on an IdP-initiated authentication. Issues #99 and # 104.
- Fixed a certificate check for SubjectConfirmations with Holder of Key methods.
Version 1.13
Released 2014-09-25.
- Added the 'remember me' option to the default login page.
- Improved error reporting.
- Added a new 'logging.format' option to control the formatting of the logs.
- Added support for the 'objectguid' binary attribute in LDAP modules.
- Added support for custom search and private attributes read credentials in all LDAP modules.
- Added support for the WantAuthnRequestsSigned option in generated SAML metadata.
- Tracking identifiers are no longer generated based on MD5.
- Several functions, classes and interfaces marked as deprecated.
- Bug fixes and documentation enhancements.
- Updated translations.
- New language: Basque.
adfs
- Honour the 'wreply' parameter when redirecting.
aggregator
- Fixed an issue when regenerating metadata from certain metadata sources.