Kantega SSO Enterprise 5.3.x release notes
- Elias Brattli Sørensen
We are pleased to announce Kantega SSO Enterprise 5.3.
Read the upgrade notes for important information about the updating to version 5 (and you are upgrading from 4.x), and see the full changelog below.
Compatible applications
Application | Compatible from version |
|---|---|
Bamboo | 7.0.1 |
Bitbucket | 6.8.0 |
Confluence | 7.1.0 |
Jira | 8.6.0 |
Changelog
After the large fundamental changes in 5.0, we are now stabilizing and improving the product, while still adding new functionality and security fixes.
Changes in 5.3.0
January 11, 2022
Features
API tokens Added REST API endpoints for managing API Tokens.
Documentation for the Kantega SSO REST API is available here:
Kantega SSO 5.6.2 REST APISaml/oidc Managed auto-create users: match group memberships on user profile claims in response, with configured list as condition for user creation. This allows more configuration of Just-in-time provisioning.
Bug fixes
Get update of config warning in fresh installation when config update is not needed
Update of config in Config status page from fresh installation gives 500 error page with nullpointer exception
Changes in 5.3.1
Version 5.3.1 was withdrawn due to a bug with Bouncy Castle in SAML.
Changes in 5.3.2
January 19, 2022.
This is a significant update of several dependencies.
During our last audit, we have gone through all of our source code and update the possible dependencies to mitigate several security vulnerabilities. We use the org.owasp.dependency-check-maven plugin to scan our dependencies.
Improvements
Persistently style menu items to avoid them overridden by styling plugins
Bug fixes
Update of configuration When update of config failed, the update run again unnecessarily from the page Username From Header
Dependency updates
Dependency | Updated from version | Updated to version | Description |
|---|---|---|---|
com.github.spotbugs:spotbugs-maven-plugin@4.1.3 | 4.1.3 | 4.5.0.0 | Maven plugin wrapper for spotbugs, used for static security analysis of source code |
com.github.spotbugs:spotbugs | 4.1.4 | 4.5.2 | Static analysis tool used for security analysis of source code |
com.google.guava:guava | 30.0-jre | 31.0.1-jre |
|
org.slf4j:slf4j-log4j12 | 1.7.22 | 1.7.32 | Logging framework |
org.slf4j:slf4j-api | 1.7.22 | 1.7.32 | Logging framework |
org.eclipse.jetty:jetty-server | 9.4.35.v20201120 | 9.4.44.v20210927 |
|
org.eclipse.jetty:jetty-servlet | 9.4.35.v20201120 | 9.4.44.v20210927 |
|
com.squareup.okhttp3:okhttp | 4.9.1 | 4.9.3 | Library used to handle HTTP requests in OIDC |
org.jetbrains.kotlin:kotlin-stdlib | 1.4.10 | 1.6.10 | Library used to handle http components in okhttp |
org.json:json | 20180813 | 20210307 | Library used for managing JSON objects. |
org.apache.commons:commons-lang | 2.x | org.apache.commons:commons-lang3@3.12.0 | Provided dependency with vulnerabilities, now drawn in exclicitly. |
commons-io | [2.0, 2.4] | 2.11 | Vulnerabilities patched. See more details in the table under Vulnerabilities fixed |
commons-codec:commons-codec | 1.10 | 1.15 | Vulnerabilities patched. See more details in the table under Vulnerabilities fixed |
org.opensaml:opensaml-saml-impl | 3.4.5 | 3.4.6 | Updated to latest version compatible with Java 8 environment |
Security vulnerabilities fixed in update
This section contains a table with a bit more details over the updated libraries with known vulnerabilities fixed. The table has CVE/CWE references as well as descriptions.
Vulnerability | Vulnerable dependency | Fix update | Patched in 5.3.1 | Description |
|---|---|---|---|---|
CVE-2021-29425 | commons-io@[2.0, 2.4] | commons-io@2.11 | Patched | Updated dependency from both transitive libraries and |
CWE-200 CVE-2020-13956 | commons-codec:commons-codec@1.10 | commons-codec:commons-codec@1.15 | Patched | Vulnerabilities were fixed in 1.13, we updated to 1.15. |
CVE-2020-9488 | log4j 1.2.17 | N/A | Log4j is provided by the Atlassian host system with the Atlassian-managed fork of Log4j. We perform all our logging using the Slf4j framework, leaving the log4j API version to the Host system. This will have to be addressed by Atlassian. | |
CVE-2020-27223, CVE-2021-28163, CVE-2021-28165, CVE-2021-28169, CVE-2021-34428 | jetty-http-9.4.35.v20201120 | org.eclipse.jetty:jetty-server@9.4.44.v20210927 | Patched |
|
CVE-2021-28165 | jetty-io-9.4.35.v20201120 | org.eclipse.jetty@9.4.44.v20210927 | Patched |
|
CVE-2020-15824, CVE-2020-29582 | kotlin-stdlib-common@1.4.0 | org.jetbrains.kotlin:kotlin-stdlib@1.6.10 | Patched |
|