Today's update (b36b08a) brings with it the following changes:
Security issues
- Added audit messages for the following security events:
- Login success/failure
- E-portal authentication callback
- User impersonation
- User created/modified/deleted
- User accessed (profile page viewed)
- Credential modified
- Credential recovery
- Group membership modified
- Institution membership modified
- Role modified
- A programming error in the
reset_pw request handler made it possible to modify the password of any user without knowning the correct reset token. This issue has been improved further since the hotfix.
- Changed behavior to not remove existing reset tokens when creating a new one. This avoids a potential denial-of-service attack vector in the reset password feature.
- When logging in as a new user while already logged in, a login failure will now log out the existing session.
- Upgraded to Perl 5.34.1 to fix security issues in
Archive::Tar and Compress::Raw::Zlib.
- Updated to
cpanm 1.7045 to address the issue with
CHECKSUMS file validation
during CPAN package installation.
Performance improvements
- Started using the new e-portal health check endpoint to determine if API is available.
New features
- Changed Nginx web server from FastCGI to HTTP protocol for reverse-proxying to web application server. The web application server now uses standard PSGI/Plack runtime. Static file serving is now also supported directly in the web application server.
- Added test infrastructure to run NATS server and fully validate audit events.
Enhancements
- Changed CPAN dependency manager from Pinto to Carton.
- Now uses upstream versions of
perlbrew and cpanm directly, allowing for easier upgrades.
- Simplified the code to support the
explain template function.
Bugfixes
Feature removals / deprecations
- Removed support for FastCGI protocol for reverse-proxying. We use plain HTTP now, via PSGI.
- Removed Pinto and all CPAN packages directly from upstream.
- Stopped using
Module::Build for running test suite.