Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 18 Next »

25 October 2021

We are pleased to announce Kantega SSO Enterprise 5.0.

Read the upgrade notes for important information about this release, and see the full changelog below.

Compatible applications

Application

Compatible from version

Bamboo

7.0.1

Bitbucket

6.8.0

Confluence

7.1.0

Jira

8.6.0

Changelog

Kantega SSO is getting a massive improvement under the hood, laying the foundation for future functionality. The setup wizard for SAML and OpenID Connect has also been updated with new technology and provide a faster setup with better feedback.

Changes in 5.0.0

Features

  • SCIM New setup wizard for SAML and OIDC identity providers

  • SAML/OIDC New identity provider overview page

  • OIDC Ability to only allow authentication from an OIDC identity provider when MFA is used for logging in

  • Configuration status page for compatibility and upgrades

Improvements

  • Removed old onboarding, which was out of date with the rest of the app

  • More powerful IP address restrictions for Kerberos, Username from Header and API tokens, now support Full IP addresses, CIDR, and stricter regex formats (start with ^ and ends with $) to specify ranges of IP addresses

Bugs

  • Users are removed from and immediately added to the same group again

Security Patches

  • RV_ABSOLUTE_VALUE_OF_RANDOM_INT: RV: Bad attempt to compute absolute value of signed random integer in API Connector ID generator

  • DM_DEFAULT_ENCODING: String to byte or byte to string conversions using default platform encoding instead of consistent standard charset encoding

  • SECLDAPI - LDAP_INJECTION: Potential LDAP injection in user lookup due to missing sanitization of special LDAP characters

  • CRLF_INJECTION_LOGS: Potential CRLF Injection for logs: unsanitized user input put directly into logger

  • XSS_SERVLET: Potential XSS in Servlets that utilize printwriter

  • INSECURE_COOKIE: Cookie without HttpOnly or secure flag

  • UNSAFE_HASH_EQUALS: Unsafe hash equals in API Token validation. An attacker might be able to detect the value of the secret hash due to the exposure of comparison timing. When the functions Arrays.equals() or String.equals() are called, they will exit earlier if fewer bytes are matched

  • Update io.jsonwebtoken jjwt libraries used for JWT validation in OpenID Connect to latest version 0.11.2

  • Increased CSRF protection: Origin header required in POST requests on Kantega SSO Enterprise pages

Changes in 5.0.1

Bugs

  • [SCIM] Link to 'SCIM network requirements' is incorrect in step 'Network preparation in SCIM setup.

  • [API Connector] Link to 'Setup provider' in API Connector is incorrect.

  • [SAML/OIDC] Links to Identity Provider in will not render in JSM portal

  • [SAML/OIDC] Links to Identity Provider on Jira baseUrl (which is redirected to /secure/MyJiraHome.jspa) will not render

  • [Update of config] Regular expressions in IP restrictions on Kerberos, Username from header and API Tokens are not translated to new format upon update of config

  • No labels