0.7.15

Impact

A vulnerability was identified in Himmelblau versions 0.7.0 through 0.8.2:

1. Logon Compliance Script Issue: When debug logging is enabled, user access tokens are inadvertently logged, potentially exposing sensitive authentication data.

The issue poses a risk of exposing sensitive credentials, particularly in environments where debug logging is enabled.

Patches

The vulnerability has been addressed in Himmelblau version 0.7.15. All users are strongly encouraged to update to this version.

Workarounds

Users unable to update immediately can apply the following mitigations:

1. For the logon compliance script issue, disable the logon_script option in /etc/himmelblau/himmelblau.conf:

   logon_script = 

   Ensure the debug option in the same configuration file is set to false:

   debug = false

   Additionally, avoid using the -d flag when starting the himmelblaud daemon.

References

• Himmelblau Configuration Documentation
• himmelblau.conf man page
• Himmelblau Daemon man page
• Official Himmelblau Release Notes and Updates

0.8.2

What's Changed

• Stable 0.8.x Entra Id no longer permits SFA enrollment by @dmulder in #339

Full Changelog: 0.8.1...0.8.2

0.8.1

What's Changed

• Stable 0.8.x Rewrite the sso code in Rust by @dmulder in #337

Full Changelog: 0.8.0...0.8.1

0.8.0

What's Changed

• Add Kerberos CCache support by @dmulder in #286
• Disable SELinux labeling on build container volume mounts by @mw-a in #323
• Add Fido MFA by @dmulder in #305
• Implement NGC Passwordless authentication by @dmulder in #332

New Contributors

• @mw-a made their first contribution in #323

Full Changelog: 0.7.14...0.8.0

0.7.14

What's Changed

• Stable 0.7.x fedora build deps by @dmulder in #326
• Stable 0.7.x Fix Multi Domain support not working by @dmulder in #330

Full Changelog: 0.7.12...0.7.14

0.7.12

What's Changed

• Stable 0.7.x multi-domain backports by @dmulder in #317
• Stable 0.7.x Hello Pin changes via passwd command by @dmulder in #321
• Stable 0.7.x Add Debian 12 packaging by @dmulder in #324

Full Changelog: 0.7.9...0.7.12

0.7.9

What's Changed

• Add DAG flow as a fallback for MFA by @dmulder in #311
• Stable 0.7.x update libhimmelblau by @dmulder in #313

Full Changelog: 0.7.7...0.7.9

0.7.7

What's Changed

• Remove the org.samba.himmelblau dbus service by @dmulder in #302
• Enable module for utf8proc-devel in Rocky8 by @dmulder in #303
• Fix CVE-2024-11738: rustls network-reachable panic in Acceptor::accept by @dmulder in #307

This version addresses a vulnerability described in GHSA-8339-5m7v-j33j

Full Changelog: 0.7.4...0.7.7

0.6.16

What's Changed

• Fix CVE-2024-11738: rustls network-reachable panic in Acceptor::accept by @dmulder in #308

This version addresses a vulnerability described in GHSA-8339-5m7v-j33j

Full Changelog: 0.6.15...0.6.16

0.7.4

What's Changed

• Backports to stable by @dmulder in #299

Full Changelog: 0.7.3...0.7.4