Skip to content

uaa/36

You can find the source of this version on GitHub at cloudfoundry/uaa-release. It was created based on the commit d2572f86.

Release Notes

Updated to UAA Release 4.1.0

This is a security release addressing the following issues - CVE-2017-4991: UAA password reset vulnerability (high severity)

Known issue

Please note that Create Account flow causes infinite redirect loop. We are working on addressing this in a patch release soon.

Breaking Changes

Starting with UAA bosh release v35 the following ERB validations have been added for OAuth Clients: - redirect-uri is required if authorized-grant-types contains “authorization_code” or “implicit”. The redirect uri must be an absolute url and begin with http or https - secret is required if authorized-grant-types contains “authorization_code” or “password”. - scope is required if authorized-grant-types contains “authorization_code”, “implicit” or “password” - authorities is required if authorized-grant-types contains “client_credentials” - authorized-grant-types should contain at least one of the following values : “authorization_code”, “implicit”, “password” , “client_credentials”

Please ensure that your UAA bosh release yml is set up properly as deployment will not proceed without these changes.

Usage

You can reference this release in your deployment manifest from the releases section:

- name: "uaa"
  version: "36"
  url: "https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=36"
  sha1: "bfa38fff664c4bbe1b5809d3635e40f1555dd89f"

Or upload it to your director with the upload-release command:

bosh upload-release --sha1 bfa38fff664c4bbe1b5809d3635e40f1555dd89f \
  "https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=36"

Jobs

Packages