release: github.com/cloudfoundry/uaa-release / 36

Github source: d2572f86 or master branch

Updated to UAA Release 4.1.0

This is a security release addressing the following issues - CVE-2017-4991: UAA password reset vulnerability (high severity)

Known issue

Please note that Create Account flow causes infinite redirect loop. We are working on addressing this in a patch release soon.

Breaking Changes

Starting with UAA bosh release v35 the following ERB validations have been added for OAuth Clients: - redirect-uri is required if authorized-grant-types contains “authorization_code” or “implicit”. The redirect uri must be an absolute url and begin with http or https - secret is required if authorized-grant-types contains “authorization_code” or “password”. - scope is required if authorized-grant-types contains “authorization_code”, “implicit” or “password” - authorities is required if authorized-grant-types contains “client_credentials” - authorized-grant-types should contain at least one of the following values : “authorization_code”, “implicit”, “password” , “client_credentials”

Please ensure that your UAA bosh release yml is set up properly as deployment will not proceed without these changes.

Upload this release version to the Director:

$ bosh upload-release https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=36 --sha1 bfa38fff664c4bbe1b5809d3635e40f1555dd89f

Modify deployment manifest to use this release in addition to any other used releases:

releases:
- name: uaa
  version: "36"

Finally add needed deployment jobs and specify values for required properties.

Optionally download sha1: bfa38fff664c4bbe1b5809d3635e40f1555dd89f release tarball locally:

# ...or download it directly using curl
$ curl -L -J -O https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=36

# or with wget...
$ wget --content-disposition https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=36