Skip to content

v1.24.0

Latest
Latest

Choose a tag to compare

View all tags
@conjur-jenkins conjur-jenkins released this 10 Nov 17:02
v1.24.0
dbea020

[1.24.0] - 2025-11-10

Changed

  • Updated documentation to align with Conjur Enterprise name change to Secrets Manager. (CNJR-10965)

Security

  • Upgrade Rails to v7 (CNJR-11466)
  • Bumped rack to 2.2.19 to resolve CVE-2025-61770, CVE-2025-61771, CVE-2025-61772, CVE-2025-61919. CONJSE-2064, CONJSE-2065
  • Remove the policy factory API endpoints from the config/routes.rb file to prevent
    anyone being able to call these endpoints and trigger the marshal.load call. CONJSE-2038
  • Fix unsafe shell command executions. CONJSE-2039. CONJSE-2041-2046.
  • Remove vulnerable activestorage gem from the dependencies to address CVE-2025-24293. CONJSE-2050
  • Bump rexml gem to 3.4.2 to resolve CVE-2025-58767. CONJSE-2056
  • Remove the policy factory code. CONJSE-2047
  • Bump rack gem to 2.2.18 to resolve CVE-2025-59830. CONJSE-2058

Added

  • Added endpoint to retrieve last API key rotation timestamp. CNJR-11385
  • Added timestamp of the last API key rotation. CNJR-11384
  • Added extra context (policy ID and offending lines) for API error responses caused by policy updates. CNJR-2571
  • Added the list authenticators endpoint for the V2 API's. CNJR-9137
  • Added the show authenticator endpoint for the V2 API's. CNJR-9133
  • Added the ability to create authenticators through a V2 API endpoint CNJR-9136
  • Added the enable authenticator endpoint for the V2 API's. CNJR-9135
  • Dynamic secrets are now supported in the batch secret retrieval API. CNJR-9172
  • Added the delete authenticators endpoint for the V2 API's. CNJR-9134
  • Added warning for annotation keys matching known policy attribute names. CNJR-9836

Changed

  • Changed count field in authenticators V2 batch retrieval endpoint to
    reflect the total count of objects in the DB rather than in the response.
    CNJR-9525

Fixed

  • Attempt to load a policy that references a non-existent resource now
    results in a 422 response, rather than a 404 error. CNJR-9122
  • Log a warning when Kubernetes authenticator certificate injection process log
    directory is not writable. CNJR-7070
  • Added Content-Length header in for failure HTTP responses in which
    it was missing. CNJR-10332
  • Write operations for issuers now return HTTP 405 instead of HTP 500. CNJR-10457
  • The inject client cert endpoint no longer caches enabled authenticators. CNJR-9540
  • Added support for reading resources with "configuration" kind. CNJR-10546
Assets 12
Loading