Skip to content

Releases: secretin/secretin-server

Security improvement

24 Dec 05:21
@agix agix
2.2.0
6cd3136
Compare
Choose a tag to compare
Security improvement Latest
Latest

After fixing the most urgent vulnerability in the previous release, here is another one

Small breaking change on the change password

This route now request to have the hash of the old password to be allowed to change it.

Server now support a different key for the signing validation.

Indeed using the same key for both signing and encryption is not a best practice, it has been fixed in the lib and is supported by the server secretin/secretin-lib#58

Rescue code is now protected from the server

The rescue codes you could use if you forgot/lost your TOTP device was generated on the server and stored in clear text.

They are now generated by the client and xored with the hash of the password so the server can't retrieve them.

They are also bigger so less easier to bruteforce.

Assets 3
Loading

Fix keys assignment vulnerability

23 Dec 23:14
@agix agix
2.1.1
52e7af1
Compare
Choose a tag to compare
Fix keys assignment vulnerability

Following Lexfo audit for CSPN

A vulnerability has been identified allowing a malicious user knowing a secret id to create a new user with keys attributes already filled with write permission on the secret.

It doesn't allow to compromise the confidentiality but the server will then let the malicious user do write operation leading to the loose of the secret.

node-forge bumped to the latest version 1.3.1

Assets 3
Loading

Cached metadata

06 Nov 16:47
@agix agix
2.1.0
bb81b53
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Cached metadata 
Merge pull request #11 from secretin/metadata_cache

Accept big payload for metadata_cache
Assets 3
Loading

No more signature replay

02 Oct 09:32
@agix agix
2.0.0
f12065c
Compare
Choose a tag to compare
No more signature replay

To follow changes in secretin-lib, server no longer accepts 2 identical signatures during 30 seconds by default.

Signature embed time and are cached in redis during SIGNATURE_DELAY so if time is too old or exists in redis, signature is rejected.

Assets 3
Loading

Change rescue code process for 2FA

30 Jun 14:51
@agix agix
1.7.0
d9b44c6
Compare
Choose a tag to compare
Change rescue code process for 2FA 
Merge pull request #7 from secretin/support_history

Prepare server to support getHistory
Assets 3
Loading

Improve view and support getDatabase diff

14 Feb 15:32
@agix agix
1.3.1
944b1ea
Compare
Choose a tag to compare
Improve view and support getDatabase diff 
1.3.1

Prevent server crash when protect key expire
Assets 3
Loading

Add rescue codes route

26 Jan 08:19
@agix agix
1.1.0
f3757fa
Compare
Choose a tag to compare
Add rescue codes route

If you lost your phone after TOTP activation, you were screwed. Not anymore. (Linked to update in secretin-lib and secretin-app)

Assets 3
Loading

Rewritten server

13 Jan 16:57
@agix agix
1.0.0
514f404
Compare
Choose a tag to compare
Rewritten server 
Merge pull request #1 from secretin/new_server

New server
Assets 3
Loading