...
We are pleased to announce Kantega SSO Enterprise 5.0.
Read the upgrade notes for important information about this release, and see the full changelog below.
...
RV_ABSOLUTE_VALUE_OF_RANDOM_INT: RV: Bad attempt to compute absolute value of signed random integer in API Connector ID generator
DM_DEFAULT_ENCODING: String to byte or byte to string conversions using default platform encoding instead of consistent standard charset encoding
SECLDAPI - LDAP_INJECTION: Potential LDAP injection in user lookup due to missing sanitization of special LDAP characters
CRLF_INJECTION_LOGS: Potential CRLF Injection for logs: unsanitized user input put directly into logger
XSS_SERVLET: Potential XSS in Servlets that utilize printwriter
INSECURE_COOKIE: Cookie without HttpOnly or secure flag
UNSAFE_HASH_EQUALS: Unsafe hash equals in API Token validation. An attacker might be able to detect the value of the secret hash due to the exposure of comparison timing. When the functions
Arrays.equals()
orString.equals()
are called, they will exit earlier if fewer bytes are matchedUpdate io.jsonwebtoken jjwt libraries used for JWT validation in OpenID Connect to latest version 0.11.2
Increased CSRF protection: Origin header required in POST requests on Kantega SSO Enterprise pages
Changes in 5.0.1
...
Bug Fixes
Link to 'SCIM network requirements' is incorrect in step 'Network preparation in SCIM setup.Status title SCIM
Link to 'Setup provider' in API Connector is incorrect.Status title API Connector
Links to Identity Provider in will not render in the JSM portalStatus colour Purple title SAML/OIDC
Links to Identity Provider on Jira baseUrl (which is redirected to /secure/MyJiraHome.jspa) will not renderStatus colour Purple title SAML/OIDC
Regular expressions in IP restrictions on Kerberos, Username from header and API Tokens are not translated to new format upon update of configStatus colour Green title Update COnfig
Changes in 5.0.2
Bug Fixes
Fixed a bug that prevented certain internal plugin resources from being served from datacenter CDN. They will not show up in /rest/webResources/1.0/deprecatedDescriptors anymore.
Allow # sign in LDAP username lookupsStatus colour Red title Kerberos
Improvements
Not showing SCIM user directories as selectable for JITStatus title SCIM Temporarily disable origin requirement for CSRF when saving Kantega SSO changes to be according to Atlassian standards. Will be reintroduced as an optional security improvement later.
Changes in 5.0.3
Improvements
Status colour Purple title SAML/OIDC
Catch errors that may happen if Active Directory times out when updating groups during loginStatus colour Red title Kerberos
Restrict API Authentication is no longer blocking Jira-Confluence @mention functionalityStatus colour Yellow title API Tokens
Allow username containing \ sign for lookup from when userPrincipalName is username key in Active DirectoryStatus colour Red title Kerberos Soften CSRF check to allow empty origin and referer headers
Bug Fixes
Fix handling active object errors sees in Postgres during upgrade from 4.x to 5.xStatus colour Yellow title API Tokens
Disable Kerberos for users in certain groups and directories not workingStatus colour Red title Kerberos
Allow upgrading from 4.x to 5.x with IdP type "Other"Status colour Purple title SAML/OIDC