1.3.0

Version 1.3.x is a long term support release. Bug fix and security patch releases will be issued for 9 months following release. See more here.

New Features

• Enhance BBR backup and restore functionality
  • Backup and restore now works with non-local databases
  • Backup and restore now supports PostgreSQL 9.4 and MariaDB 10.1
  • Backup and restore respect configured settings for database TLS connection
  • Backup and restore works with multi-instance deployments
• Update API to allow static username to be set via BOSH manifest
• Enable regeneration of user type credentials

Dependency Updates

• Bumped OpenJDK from 1.8.0_131 to 1.8.0_141
• Bumped Spring Boot from 1.4.6 to 1.5.6

Bug Fixes

• Resolved BBR backup and restore failures in v1.2.0 due to package version incompatibility

Known Issues

• CredHub must be restarted after a BBR restore on a new installation. Before restarting the application, you will see an encryption key mismatch error.

---

Changes from v1.2.0

• Application commit log
• Release commit log

1.0.4

Dependency Updates

• Bumped OpenJDK from 1.8.0_131 to 1.8.0_141
• Bumped Spring Boot from 1.4.6 to 1.4.7

---

Changes from v1.0.3

• Application commit log
• Release commit log

1.2.0

Known Issues

• BBR backup and restore fails in v1.2.0 due to package version incompatibility. Please upgrade to 1.3.0 to resolve this issue.

Notices

• Credential names now must only contain alpha, numeric, forward slash, dash and underscore characters. Existing credentials with disallowed characters will remain accessible, but cannot be updated. The below scripts will identify any credentials in your environment with disallowed characters.

Mac and Linux

credhub find --output-json | jq -r '.credentials[].name' | grep -E '[^A-Za-z0-9\_\/\-]+'

Windows Powershell

.\credhub.exe f /output-json | jq -r credentials[].name | select-string -pattern "[^A-Za-z0-9\/_\-]+"

New Features

• Credential names now must contain only alpha, numeric, forward slash, dash and underscore characters
• Certificate generation now enforces maximum field lengths per x509 spec

Bug Fixes

• CVE-2017-8038 Interpolate endpoint was not appropriately respecting credential ACLs

---

Changes from v1.1.2

• Application commit log
• Release commit log

1.1.2

Bug fix

• Incorrect version displayed at /info endpoint

---

Changes from v1.1.1

• Application commit log (no change)
• Release commit log (no change)

NOTE: Release has been removed due to bug. Please use release version 1.2.0.

1.1.1

Bug Fix

• Fixed job template rendering error which affected bosh create-env deployments

---

Changes from v1.1.0

• Application commit log (no change)
• Release commit log

NOTE: Release has been removed due to bug. Please use release version 1.2.0.

1.1.0

Notices

• Users of Postgres databases must provide a valid tls_ca for their connection or disable TLS prior to deploying this version.
• The TLS CA of UAA must be provided in the manifest at authentication.uaa.ca_certs prior to deployment

New Features

• Mutual TLS is now supported for application authentication - more here
• ACL authorization is now supported for automation use-cases, such as the secure service credential architecture. This is currently disabled by default.
  • Supported authenticated identities
    • UAA password grant
    • UAA client credentials grant
    • Mutual TLS application
  • Supported credential operations
    • read
    • write
    • delete
    • read_acl
    • write_acl
• Multi-instance deployments are now supported
• Postgres database connections now support TLS (enabled by default)
• Tomcat chooses cipher suite order during TLS negotiation
• JVM max heap size is configurable via deployment manifest property
• Tomcat can now be configured to enable Java 7 supported CBC ciphers (disabled by default)
• Bouncy Castle updated from 1.52 to 1.57

---

Changes from v1.0.0

• Application commit log
• Release commit log

NOTE: Release has been removed due to bug. Please use release version 1.1.1.

1.0.3

Notices

• The TLS CA of UAA must be provided in the manifest at authentication.uaa.ca_certs prior to deployment

Bug fix

• Offline JWT token validation now verifies the issuer in addition to the signature (related to CVE-2017-8034). This fix was added defensively, but this should not impact the current use-case due to lack of multiple identity zones in the BOSH UAA instance.

---

Changes from v1.0.2

• Application commit log
• Release commit log

1.0.2

Bug fix

• The format of password credential generation parameters changed in version 0.6.0, causing data from versions 0.5.1 and prior to fail regeneration and encryption key rotation. This patch includes a fix to read both formats and unify to the preferred format for all new data.

New Features

• Ability to set stored CA by name for user-provided certificates

NOTE: This feature was added to ensure forward compatibility for data stored with 1.0.x releases. This is an additive change with low risk to affect existing functionality.

---

Changes from v1.0.1

• Application commit log
• Release commit log

0.7.1

Bug fix

• The format of password credential generation parameters changed in version 0.6.0, causing data from versions 0.5.1 and prior to fail regeneration and encryption key rotation.

If you have stored data from release 0.5.1 and prior, you must upgrade to 0.7.1 and perform encryption key rotation prior to upgrading to 0.8.0 or later.

---

Changes from v0.7.0

• Application commit log
• Release commit log

1.0.1

Bug fix

• Incorrect version displayed at /info endpoint

---

Changes from v1.0.0

• Application commit log (no change)
• Release commit log