X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=debian%2Fchangelog;h=29fd7cb286fcebb67a67d6da8293dbf8be7a8e1c;hp=d6f2189241782bb4094e450a20fa8857b4a339e1;hb=HEAD;hpb=b8a52eac77bf3e43d83a7af8c9cf98b06a280a8e diff --git a/debian/changelog b/debian/changelog index d6f2189..cb0e71c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,80 @@ +libpve-access-control (8.1.4) bookworm; urgency=medium + + * fix #5335: sort ACL entries in user.cfg to make it easier to track changes + + -- Proxmox Support Team Mon, 22 Apr 2024 13:45:22 +0200 + +libpve-access-control (8.1.3) bookworm; urgency=medium + + * user: password change: require confirmation-password parameter so that + anybody gaining local or physical access to a device where a user is + logged in on a Proxmox VE web-interface cannot give them more permanent + access or deny the actual user accessing their account by changing the + password. Note that such an attack scenario means that the attacker + already has high privileges and can already control the resource + completely through another attack. + Such initial attacks (like stealing an unlocked device) are almost always + are outside of the control of our projects. Still, hardening the API a bit + by requiring a confirmation of the original password is to cheap to + implement to not do so. + + * jobs: realm sync: fix scheduled LDAP syncs not applying all attributes, + like comments, correctly + + -- Proxmox Support Team Fri, 22 Mar 2024 14:14:36 +0100 + +libpve-access-control (8.1.2) bookworm; urgency=medium + + * add Sys.AccessNetwork privilege + + -- Proxmox Support Team Wed, 28 Feb 2024 15:42:12 +0100 + +libpve-access-control (8.1.1) bookworm; urgency=medium + + * LDAP sync: fix-up assembling valid attribute set + + -- Proxmox Support Team Thu, 08 Feb 2024 19:03:26 +0100 + +libpve-access-control (8.1.0) bookworm; urgency=medium + + * api: user: limit the legacy user-keys option to the depreacated values + that could be set in the first limited TFA system, like e.g., 'x!yubico' + or base32 encoded secrets. + + * oidc: enforce generic URI regex for the ACR value to align with OIDC + specifications and with Proxmox Backup Server, which was recently changed + to actually be less strict. + + * LDAP sync: improve validation of synced attributes, closely limit the + mapped attributes names and their values to avoid glitches through odd + LDIF entries. + + * api: user: limit maximum length for first & last name to 1024 characters, + email to 254 characters (the maximum actually useable in practice) and + comment properties to 2048 characters. This avoid that a few single users + bloat the user.cfg to much by mistake, reducing the total amount of users + and ACLs that can be set up. Note that only users with User.Modify and + realm syncs (setup by admins) can change these in the first place, so this + is mostly to avoid mishaps and just to be sure. + + -- Proxmox Support Team Thu, 08 Feb 2024 17:50:59 +0100 + +libpve-access-control (8.0.7) bookworm; urgency=medium + + * fix #1148: allow up to three levels of pool nesting + + * pools: record parent/subpool information + + -- Proxmox Support Team Mon, 20 Nov 2023 12:24:13 +0100 + +libpve-access-control (8.0.6) bookworm; urgency=medium + + * perms: fix wrong /pools entry in default set of ACL paths + + * acl: add missing SDN ACL paths to allowed list + + -- Proxmox Support Team Fri, 17 Nov 2023 08:27:11 +0100 + libpve-access-control (8.0.5) bookworm; urgency=medium * fix an issue where setting ldap passwords would refuse to work unless