Bug 872904

Request update from Version 2.7 to Version 2.19

* Version 2.19 released 2012-07-05

  * Refactor database code, allowing for other underlying implementations
    than PDO. Add a PDO and an Oracle (through php_oci) implementation.
    Based on patch from Remi Mollon <remi.mollon>

  * Fix for ykval-export running on postgres.

  * Add resync.php to request new sync of public id.

  * Add munin plugin for statistics.

* Version 2.18 released 2012-06-15

  * Logging misstakes that broke 2.17 fixed.

* Version 2.17 released 2012-06-15

  * Logging improvements.
    use ykval-verify/ykval-sync correctly for whole flow
    clarify/degrade various logging messages

  * Fix mysql error introduced in 2.14, also logs
    database updated/not updated correctly.

  * Accept sync for disabled keys, but still answer BAD_OTP.

  * Remove from sync queue on BAD_OTP answer.

  * Add munin plugin for response types.

* Version 2.16 released 2012-06-13

  * Improved logging.

  * Improved performance of large sync queues.

* Version 2.15 released 2012-05-24

  * Add export/import scripts for clients table.

  * Insert default values in $sl and $timeout if they are empty.
    And they will be empty if the client didn't request them.

* Version 2.14 released 2012-05-22

  * Add support for reconnecting to database after errors.

  * Fixes for PHP warnings.

  * Detect timeouts and errors in munin checks.

* Version 2.13 released 2012-05-16

  * Fix signature checking broken in 2.12 and for dvorak OTPs.

  * Fixes for ykval-checksum-clients.php

* Version 2.12 released 2012-05-09

  * Fix using 'fast' or 'secure' as sync level.

  * Fix database setup script to make nonce max 40 characters.

* Version 2.11 released 2011-11-16

  * Silence PHP warnings. Patch from Hiroki Nose.

  * Include munin scripts in tarball. From Fredrik Thulin.

  * Support for DESTDIR in 'make install'. From Fredrik Thulin.

  * Reorder include's to allow for dbi-settings through
    ykval-config.php. From Fredrik Thulin.

  * Install non-bin PHP files with --mode 644 to avoid executable bit.
    From Fredrik Thulin.

  * Fix two remaining non-portable uses of rowCount.

* Version 2.10 released 2011-08-18

  * Don't echo (unsanitized) OTP/NONCE values back to client when
    sending error codes. Reported by Paul van Empelen.

    Resolving this problem protects (arguably buggy) clients against
    an attack. Prior versions of the Yubico C and PHP clients do not
    appear to exhibit this bug. We provide an analysis of the issue
    below so that you can review client implementations for the
    problem. Note that you do not have to fix clients if you are
    using this server version (or later), although we recommend it
    anyway.

    If the client sends a OTP value that ends with '%0astatus=OK' the
    server output will contain a line 'status=ok' before the real
    status code status=MISSING_PARAMETER. Note lower-casing of the
    injected status code, so that it doesn't match a correct
    'status=OK' response. Note also that the OTP value would fail
    normal input validation checks in the client.

    If the client sends a NONCE value that ends with '%0astatus=OK'
    the output will contain a line consisting of 'status=OK' before
    the correct status=MISSING_PARAMETER. However, the NONCE value is
    generated by client code internally and does not come from any
    untrusted source, thus the impact here is limited -- if an
    attacker is able to trick a client into sending a crafted NONCE
    value the attacker is normally able to modify the client code
    somehow, and can thus trick the client in other ways as well.
    Similar issues apply to the ID field, which is normally also under
    control of the trusted client code and not something an attacker
    could influence.

    Thus, this server-side fix solve a client-side issue that we
    believe would only occur when both of these conditions are true:

    1) the client does not do proper input validation of the OTP, and
    2) the client incorrectly parses 'status=ok' as 'status=OK'.

    or when the following condition is true

    A) the client can be tricked into sending a crafted NONCE or ID
    value.

* Version 2.9 released 2011-05-09

  * Support multiple IP authorizations in ykval-revoke.php.

* Version 2.8 released 2011-01-06

  * Support YubiKey OTPs filtered through a US Dvorak keyboard layout.

  * Added ykval_-vallatency Munin probe to measure latency to other
    validation instances, for both IPv4 and IPv6.

yubikey-val-2.39-4.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2959d9b6dd

yubikey-val-2.39-4.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b94a2cd176

yubikey-val-2.39-4.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2959d9b6dd

yubikey-val-2.39-4.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b94a2cd176

yubikey-val-2.39-4.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

yubikey-val-2.39-4.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.