X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=debian%2Fchangelog;h=26b813f92f27d67ee8a5ad208c19c7593c022a99;hb=26dde491047118b8c168aeb6b55d9e0ebd9ef588;hp=85152cc5b0ecbbe31d755b65b1c5d1d87b370b81;hpb=4473c96caf4cd849c22e23ec77dd59eec324b92b;p=pve-access-control.git

diff --git a/debian/changelog b/debian/changelog
index 85152cc..26b813f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,306 @@
+libpve-access-control (7.2-3) bullseye; urgency=medium
+
+  * api: token: use userid-group as API perm check to avoid being overly
+    strict through a misguided use of user id for non-root users.
+
+  * perm check: forbid undefined/empty ACL path for future proofing of against
+    above issue
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 20 Jun 2022 15:51:14 +0200
+
+libpve-access-control (7.2-2) bullseye; urgency=medium
+
+  * permissions: merge propagation flag for multiple roles on a path that
+    share privilege  in a deterministic way, to avoid that it gets lost
+    depending on perl's random sort, which would result in returing less
+    privileges than an auth-id actually had.
+
+  * permissions: avoid that token and user privilege intersection is to strict
+    for user permissions that have propagation disabled.
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 03 Jun 2022 14:02:30 +0200
+
+libpve-access-control (7.2-1) bullseye; urgency=medium
+
+  * user check: fix expiration/enable order
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 31 May 2022 13:43:37 +0200
+
+libpve-access-control (7.1-8) bullseye; urgency=medium
+
+  * fix #3668: realm-sync: replace 'full' & 'purge' with 'remove-
+    vanished'
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 28 Apr 2022 17:02:46 +0200
+
+libpve-access-control (7.1-7) bullseye; urgency=medium
+
+  * userid-group check: distinguish create and update
+
+  * api: get user: declare token schema
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 21 Mar 2022 16:15:23 +0100
+
+libpve-access-control (7.1-6) bullseye; urgency=medium
+
+  * fix #3768: warn on bad u2f or webauthn settings
+
+  * tfa: when modifying others, verify the current user's password
+
+  * tfa list: account for admin permissions
+
+  * fix realm sync permissions
+
+  * fix token permission display bug
+
+  * include SDN permissions in permission tree
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 21 Jan 2022 14:20:42 +0100
+
+libpve-access-control (7.1-5) bullseye; urgency=medium
+
+  * openid: fix username-claim fallback
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 25 Nov 2021 07:57:38 +0100
+
+libpve-access-control (7.1-4) bullseye; urgency=medium
+
+  * set current origin in the webauthn config if no fixed origin was
+    configured, to support webauthn via subdomains
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 22 Nov 2021 14:04:06 +0100
+
+libpve-access-control (7.1-3) bullseye; urgency=medium
+
+  * openid: allow arbitrary username-claims
+
+  * openid: support configuring the prompt, scopes and ACR values
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 19 Nov 2021 08:11:52 +0100
+
+libpve-access-control (7.1-2) bullseye; urgency=medium
+
+  * catch incompatible tfa entries with a nice error
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 17 Nov 2021 13:44:45 +0100
+
+libpve-access-control (7.1-1) bullseye; urgency=medium
+
+  * tfa: map HTTP 404 error in get_tfa_entry correctly
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 15 Nov 2021 15:33:22 +0100
+
+libpve-access-control (7.0-7) bullseye; urgency=medium
+
+  * fix #3513: pass configured proxy to OpenID
+
+  * use rust based parser for TFA config
+
+  * use PBS-like auth api call flow,
+
+  * merge old user.cfg keys to tfa config when adding entries
+
+  * implement version checks for new tfa config writer to ensure all
+    cluster nodes are ready to avoid login issues
+
+  * tickets: add tunnel ticket
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 11 Nov 2021 18:17:49 +0100
+
+libpve-access-control (7.0-6) bullseye; urgency=medium
+
+  * fix regression in user deletion when realm does not enforce TFA
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 21 Oct 2021 12:28:52 +0200
+
+libpve-access-control (7.0-5) bullseye; urgency=medium
+
+  * acl: check path: add /sdn/vnets/* path
+
+  * fix #2302: allow deletion of users when realm enforces TFA
+
+  * api: delete user: disable user first to avoid surprise on error during the
+    various cleanup action required for user deletion (e.g., TFA, ACL, group)
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 27 Sep 2021 15:50:47 +0200
+
+libpve-access-control (7.0-4) bullseye; urgency=medium
+
+  * realm: add OpenID configuration
+
+  * api: implement OpenID related endpoints
+
+  * implement opt-in OpenID autocreate user feature
+
+  * api: user: add 'realm-type' to user list response
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 02 Jul 2021 13:45:46 +0200
+
+libpve-access-control (7.0-3) bullseye; urgency=medium
+
+  * api: acl: add missing `/access/realm/<realm>`, `/access/group/<group>` and
+    `/sdn/zones/<zone>` to allowed ACL paths
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 21 Jun 2021 10:31:19 +0200
+
+libpve-access-control (7.0-2) bullseye; urgency=medium
+
+  * fix #3402: add Pool.Audit privilege - custom roles containing
+    Pool.Allocate must be updated to include the new privilege.
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 1 Jun 2021 11:28:38 +0200
+
+libpve-access-control (7.0-1) bullseye; urgency=medium
+
+  * re-build for Debian 11 Bullseye based releases
+
+ -- Proxmox Support Team <support@proxmox.com>  Sun, 09 May 2021 18:18:23 +0200
+
+libpve-access-control (6.4-1) pve; urgency=medium
+
+  * fix #1670: change PAM service name to project specific name
+
+  * fix #1500: permission path syntax check for access control
+
+  * pveum: add resource pool CLI commands
+
+ -- Proxmox Support Team <support@proxmox.com>  Sat, 24 Apr 2021 19:48:21 +0200
+
+libpve-access-control (6.1-3) pve; urgency=medium
+
+  * partially fix #2825: authkey: rotate if it was generated in the
+    future
+
+  * fix #2947: add an option to LDAP or AD realm to switch user lookup to case
+    insensitive
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 29 Sep 2020 08:54:13 +0200
+
+libpve-access-control (6.1-2) pve; urgency=medium
+
+  * also check SDN permission path when computing coarse permissions heuristic
+    for UIs
+
+  * add SDN Permissions.Modify
+
+  * add VM.Config.Cloudinit
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 30 Jun 2020 13:06:56 +0200
+
+libpve-access-control (6.1-1) pve; urgency=medium
+
+  * pveum: add tfa delete subcommand for deleting user-TFA
+
+  * LDAP: don't complain about missing credentials on realm removal
+
+  * LDAP: skip anonymous bind when client certificate and key is configured
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 08 May 2020 17:47:41 +0200
+
+libpve-access-control (6.0-7) pve; urgency=medium
+
+  * fix #2575: die when trying to edit built-in roles
+
+  * add realm sub commands to pveum CLI tool
+
+  * api: domains: add user group sync API endpoint
+
+  * allow one to sync and import users and groups from LDAP/AD based realms
+
+  * realm: add default-sync-options to config for more convenient sync configuration
+
+  * api: token create: return also full token id for convenience
+
+ -- Proxmox Support Team <support@proxmox.com>  Sat, 25 Apr 2020 19:35:17 +0200
+
+libpve-access-control (6.0-6) pve; urgency=medium
+
+  * API: add group members to group index
+
+  * implement API token support and management
+
+  * pveum: add 'pveum user token add/update/remove/list'
+
+  * pveum: add permissions sub-commands
+
+  * API: add 'permissions' API endpoint
+
+  * user.cfg: skip inexisting roles when parsing ACLs
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 29 Jan 2020 10:17:27 +0100
+
+libpve-access-control (6.0-5) pve; urgency=medium
+
+  * pveum: add list command for users, groups, ACLs and roles
+
+  * add initial permissions for experimental SDN integration
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 26 Nov 2019 17:56:37 +0100
+
+libpve-access-control (6.0-4) pve; urgency=medium
+
+  * ticket: use clinfo to get cluster name
+
+  * ldaps: add sslversion configuration property to support TLS 1.1 to 1.3 as
+    SSL version
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 18 Nov 2019 11:55:11 +0100
+
+libpve-access-control (6.0-3) pve; urgency=medium
+
+  * fix #2433: increase possible TFA secret length
+
+  * parse user configuration: correctly parse group names in ACLs, for users
+    which begin their name with an @
+
+  * sort user.cfg entries alphabetically
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 29 Oct 2019 08:52:23 +0100
+
+libpve-access-control (6.0-2) pve; urgency=medium
+
+  * improve CSRF verification compatibility with newer PVE
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 26 Jun 2019 20:24:35 +0200
+
+libpve-access-control (6.0-1) pve; urgency=medium
+
+  * ticket: properly verify exactly 5 minute old tickets
+
+  * use hmac_sha256 instead of sha1 for CSRF token generation
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 24 Jun 2019 18:14:45 +0200
+
+libpve-access-control (6.0-0+1) pve; urgency=medium
+
+  * bump for Debian buster
+
+  * fix #2079: add periodic auth key rotation
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 21 May 2019 21:31:15 +0200
+
+libpve-access-control (5.1-10) unstable; urgency=medium
+
+  * add /access/user/{id}/tfa api call to get tfa types
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 15 May 2019 16:21:10 +0200
+
+libpve-access-control (5.1-9) unstable; urgency=medium
+
+  * store the tfa type in user.cfg allowing to get it without proxying the call
+    to a higher privileged daemon.
+
+  * tfa: realm required TFA should lock out users without TFA configured, as it
+    was done before Proxmox VE 5.4
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 30 Apr 2019 14:01:00 +0000
+
+libpve-access-control (5.1-8) unstable; urgency=medium
+
+  * U2F: ensure we save correct public key on registration
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 09 Apr 2019 12:47:12 +0200
+
 libpve-access-control (5.1-7) unstable; urgency=medium
 
   * verify_ticket: allow general non-challenge tfa to be run as two step
@@ -371,7 +674,7 @@ libpve-access-control (3.0-4) unstable; urgency=low
 
 libpve-access-control (3.0-3) unstable; urgency=low
 
-  * Add new role PVETemplateUser (and VM.Clone priviledge)
+  * Add new role PVETemplateUser (and VM.Clone privilege)
 
  -- Proxmox Support Team <support@proxmox.com>  Mon, 29 Apr 2013 11:42:15 +0200
 
@@ -438,7 +741,7 @@ libpve-access-control (1.0-19) unstable; urgency=low
 
 libpve-access-control (1.0-18) unstable; urgency=low
 
-  * fix bug #151: corretly parse username inside ticket
+  * fix bug #151: correctly parse username inside ticket
   
   * fix bug #152: allow user to change his own password
 
@@ -533,7 +836,7 @@ libpve-access-control (1.0-4) unstable; urgency=low
 libpve-access-control (1.0-3) unstable; urgency=low
 
   * add support for delayed parameter parsing - We need that to disable
-    file upload for normal API request (avoid DOS attacs)
+    file upload for normal API request (avoid DOS attacks)
 
  -- Proxmox Support Team <support@proxmox.com>  Fri, 02 Dec 2011 09:56:10 +0100