This repository has been archived by the owner on Jul 6, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 48
/
Copy pathNEWS
168 lines (98 loc) · 4.9 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
== Version 0.19.12 ==
* Deprecated all classes with note that the library is obsolete. This is planned
to be the final release of java-u2flib-server.
== Version 0.19.11 ==
* Bumped Guava dependency to version [24.1.1,30) in response to CVE-2018-10237
== Version 0.19.10 ==
* Bumped Jackson dependency to version 2.11.0 in response to CVEs:
** CVE-2020-9546
** CVE-2020-10672
** CVE-2020-10969
** CVE-2020-11620
== Version 0.19.9 ==
* Bumped Jackson dependency to version 2.9.10.3 in response to CVE-2019-20330 and CVE-2020-8840
== Version 0.19.8 ==
* Bumped Jackson dependency to version 2.9.10.1 which has patched CVE-2019-16942
== Version 0.19.7 ==
* Bumped Jackson dependency to version 2.9.10 which has patched CVE-2019-16335, CVE-2019-14540
== Version 0.19.6 ==
* Bumped Jackson dependency to version 2.9.9.3 which fixes a regression in 2.9.9.2
== Version 0.19.5 ==
* Bumped Jackson dependency to version 2.9.9.2 which has patched CVE-2019-12814, CVE-2019-14439, CVE-2019-14379
== Version 0.19.4 ==
* Bumped Jackson dependency to version 2.9.9 which has patched CVE-2019-12086
== Version 0.19.3 ==
Bug fixes:
* Use BouncyCastle security provider explicitly
== Version 0.19.2 ==
* Bumped Jackson dependency version to 2.9.8 which has patched CVE-2018-19360, CVE-2018-19362 and CVE-2018-19361
== Version 0.19.1 ==
* Bumped Jackson dependency version to 2.9.7 which has patched CVE-2018-7489 and CVE-2017-7525
== Version 0.19.0 ==
Breaking changes:
* Overhauled exception hierarchy
** New exception class: `U2fCeremonyException`
** New exception class: `U2fRegistrationException extends U2fCeremonyException`
** New exception class: `U2fAuthenticationException extends U2fCeremonyException`
** The following exception classes now extend `U2fAuthenticationException`:
*** `DeviceCompromisedException`
*** `InvalidDeviceCounterException`
*** `NoEligableDevicesException`
*** `NoEligibleDevicesException`
** `U2fBadConfigurationException` is now a checked exception
** `U2fBadInputException` is now a checked exception, and is no longer thrown directly by the methods of `U2F`.
*** Methods of `U2F` now catch this exception and wrap it in a `U2fRegistrationException` or ``U2fAuthenticationException`.
* `DeviceRegistration.getAttestationCertificate()` now returns `null` instead of throwing `NoSuchFieldException`
* `static ClientData.getString(JsonNode, String)` now throws `U2fBadInputException` instead of `NullPointerException`, or if the returned field is not a `String` value
* Some `AssertionError`s and `IllegalArgumentException`s are now `U2fBadInputException`s instead
Improvements:
* `BouncyCastleCrypto` now throws more descriptive exceptions
Bug fixes:
* Improved error handling in client data input validation
** Thanks to Nicholas Wilson for the contribution, see https://github.com/Yubico/java-u2flib-server/pull/25
== Version 0.18.1 ==
* Lombok now longer leaks into runtime dependencies
== Version 0.18.0 ==
=== u2flib-server-core ===
Breaking changes:
* "Authenticate" renamed to "sign" everywhere in `u2flib-server-core`
** Classes `AuthenticateRequest` renamed to `SignRequest`
** Class `AuthenticateRequestData` renamed to `SignRequestData`
** Class `AuthenticateResponse` renamed to `SignResponse`
** Method `Client.authenticate` renamed to `sign`
** Class `RawAuthenticateResponse` renamed to `RawSignResponse`
** Method `SoftKey.authenticate` renamed to `sign`
** Method `U2F.finishAuthentication` renamed to `finishSignature`
** Method `U2F.startAuthentication` renamed to `startSignature`
** Method `U2fPrimitives.finishAuthentication` renamed to `finishSignature`
** Method `U2fPrimitives.startAuthenticateion` renamed to `startSignature`
* Constants `AUTHENTICATE_TYP` and `REGISTER_TYPE` in `U2fPrimitives` are
now private
== Version 0.17.1 ==
* u2flib-server-attestation module now uses SLF4J logging instead of
`Throwable.printStackTrace`
== Version 0.17.0 ==
=== u2flib-server-core ===
Breaking changes:
* Field `RegisterRequestData.authenticateRequests: List<AuthenticateRequest>`
replaced by field `registeredKeys: List<RegisteredKey>`
Additions:
* Fields added to class `AuthenticateRequestData`:
* `challenge: String`
* `appId: String`
* New class `RegisteredKey`
* Field `appId: String` added to `RegisterRequestData`
=== u2flib-server-demo ===
* `u2f-api.js` upgraded from version 1.0 to 1.1
* JS calls in views updated to work with version 1.1 of the JS API
* All views except `loginIndex` and `registerIndex` are now rendered via
templates
* Navigation links added to all views
* Error feedback improved
== Version 0.13.1 (unreleased) ==
* Changed demo server URL to `localhost:8080`.
* Added the method `ClientData.getString` to get arbitrary clientData fields.
* Added u2flib-server-attestation for device attestation and metadata.
== Version 0.13.0 ==
* Added built-in support for multiple devices per user.
* Fixed demo server bug when running from jar. Thanks to axianx.