We are pleased to announce Kantega SSO Enterprise 5.5.
Read the upgrade notes for important information about the updating to version 5 (and you are upgrading from 4.x), and see the full changelog below.
Read the upgrade notes for important information about the updating to version 5 (and you are upgrading from 4.x), and see the full changelog below.
Application | Compatible from version |
|---|---|
Bamboo | 7.0.1 |
Bitbucket | 7.0.0 |
Confluence | 7.4.0 |
Jira | 8.8.0 |
We are happy to announce that Kantega SSO Enterprise will be release for Bamboo Data Center this spring. The version is planned for release during March, when the Atlassian certification is completed. Data Center customers will be required to purchase a Data Center app license upon their next renewal.
Security patches and bug fixes and GUI improvements.
The setup wizard has been refactored with more a new, faster form system and state management
Migrate usage of a deprecated SAL UserManager methods for obtaining UserProfile
More consistent with external link symbol for links pointing outside the product
Fix poor handling of Websudo / Secure Administration Session timeout Setup wizard
Instant redirect didn’t show text on dashboard page in Jira
Nullpointer exception introduced in 5.4.0 in referer header check in servlet filter chain for REST endpoints
Added a toggle so it is an option to turn off the CSRF Origin Header check that was introduced in built-in to version 5 of Kantega SSO Enterprise if your system encounters issues with headers. The feature acts like ‘Disable Basic Auth’, and can be disabled also by removing a file on the application server. It is recommended to keep this check turned on for security reasons.
Updated Bouncy Castle bcpkix dependency in SAML component
Updated Bouncy Castle bcprov dependency in Kerberos component
Deprecated javascript resource com.atlassian.auiplugin:dialog2 migrated to com.atlassian.auiplugin:aui-dialog2
Fixed redirect to Jira Service Management (JSM/JSD) not working
Fix metadata URL hint missing for Keycloak in IDP setup wizard
Innacurate / incorrect test result text in SAML login test results for Missing User Info status
Dependency | Updated from version | Updated to version | Description |
|---|---|---|---|
bouncycastle.bcprov | bouncycastle.bcprov-jdk15@140 | org.bouncycastle.bcprov-jdk15to18@1.70 | Dependency in Kerberos component of Kantega SSO Enterprise, org.simplericity.serberuhs. Our internal managed fork of serberuhs contains the new updates. |
org.bouncycastle.bcpkix | bcpkix-jdk15on@1.59 | org.bouncycastle.bcpkix-jdk15to18@1.70 | Dependency in SAML component of Kantega SSO Enterprise |
The dependency patching resolved the following vulnerabilities:
Vulnerabilities | Vulnerable dependency | Fix dependency |
|---|---|---|
CVE-2013-1624 | bouncycastle.bcprov-jdk15@140 in org.simplericity.serberuhs | org.bouncycastle.bcprov-jdk15to18@1.70 |
CVE-2020-26939, | bcpkix-jdk15on@1.59 | org.bouncycastle.bcpkix-jdk15to18@1.70 |
CWE-200 | commons-codec:commons-codec@1.3 in org.simplericity:serberuhs | commons-codec:commons-codec@1.15 |
Rewrote and improved the User Lookup page with more powerful regex transformation test and improved UX
Improve how progress is kept in setup wizard when navigating to previous steps
Setup wizard did no allow characters outside ISO-8859-1
Could not abort automatic redirect on login page with esc button
Managed groups under Group Memberships had inconsistencies and didn’t work properly
Inconsistent login test result status regarding user not found
Incorrect summary on Kerberos test page when Kerberos is disabled but is still enabled for users in a certain user group or directory.
Update of config warning flag gave wrong link path to Configuration status from certain pages
Audit and update NPM packages and one maven dependency. The following vulnerabilities were patched:
Vulnerabilities | Dependency | Package |
|---|---|---|
CVE-2021-3807 | ansi-regex:4.1.0 | |
CVE-2020-28469 | glob-parent:3.1.0 | |
CVE-2020-15168 | node-fetch:2.6.1 | |
CVE-2022-0122 | node-forge:0.10.0 | |
CVE-2021-23382 | postcss:7.0.39 | |
CVE-2019-12400 | org.apache.santuario:xmlsec:2.0.10) |
In this release, we temporary roll back Kerberos (back to
bouncycastle.bcprov-jdk15@140 in org.simplericity.serberuhs) due to some compatibility issues with the library update performed in verison 5.5.2. We will investigate and troubleshoot the issues with the update before reintroducing it more stabilized in a later release.
Setup wizard summary step was stuck on ‘Loading…’ due to changes in 5.5.3
Metadata URL was not saved after SAML IDP setup due to changes in 5.5.3
Unchanged display name was not persisted in IDP setup draft due to changes in 5.5.3