Releases: web-auth/webauthn-framework
5.2.5
Release Notes for 5.2.5
5.2.x bugfix release (patch)
5.2.5
- Total issues resolved: 0
- Total pull requests resolved: 1
- Total contributors: 1
bug
Contributors
Assets 2
5.2.4
Release Notes for 5.2.4
Security Fix
-
Fixed origin validation bypass in
CheckAllowedOrigins(GHSA-f7pm-6hr8-7ggm, CWE-346, CVSS 5.4)When
allowed_originswas configured,CheckAllowedOriginsreduced URL origins to their host component only, ignoring scheme and port. This allowed a request from a different port (or scheme) to pass origin validation, violating the WebAuthn Level 2 spec requirement for exact origin matching.CheckAllowedOriginsnow performs full origin comparison (scheme + host + port) with default port normalization (443 for HTTPS, 80 for HTTP). Origins configured without a scheme are still matched by host only for backward compatibility.Reported by @dorakemon.
Upgrade
composer update web-auth/webauthn-framework
# or
composer update web-auth/webauthn-lib web-auth/webauthn-symfony-bundle4.9.3
Release Notes for 4.9.3
4.9.x bugfix release (patch)
4.9.3
-
Total issues resolved: 0
-
Total pull requests resolved: 1
-
Total contributors: 1
-
807: AuthenticatorAssertionResponseValidator: Add missing word from deprecation message thanks to @reedy
Contributors
Assets 2
5.2.3
Release Notes for 5.2.3
5.2.x bugfix release (patch)
5.2.3
- Total issues resolved: 0
- Total pull requests resolved: 2
- Total contributors: 1
bug
Contributors
Assets 2
5.2.2
Release Notes for 5.2.2
5.2.x bugfix release (patch)
5.2.2
- Total issues resolved: 0
- Total pull requests resolved: 1
- Total contributors: 1
bug
Contributors
Assets 2
5.2.1
Release Notes for 5.2.1
5.2.x bugfix release (patch)
5.2.1
- Total issues resolved: 0
- Total pull requests resolved: 1
- Total contributors: 1
bug
Contributors
Assets 2
5.2.0
Release Notes for 5.2.0
Feature release (minor)
5.2.0
- Total issues resolved: 6
- Total pull requests resolved: 5
- Total contributors: 4
enhancement
- 704: Add WebAuthn extensions and integrate PRF handling logic thanks to @Spomky
- 693: Add Webauthn Badge support thanks to @Spomky
- 690: Add origin validation logic and tests for WebAuthn thanks to @Spomky
- 673: [Stimulus/Symfony UX] Allow a remember-me checkbox at login (or document it, if it already works somehow) thanks to @spackmat
- 616: CSRF Support thanks to @Spomky
- 426: Better Authentication Extensions thanks to @Spomky
- 393: Support Android's FIDO2 origin thanks to @giann
DX
DX,UX
bug
- 680: Column
publicKeyCredentialIdused in key specification without a key length thanks to @leofeyer
DX,enhancement
- 460: Passport and Badges thanks to @Spomky
Contributors
Assets 2
5.1.3
Release Notes for 5.1.3
5.1.x bugfix release (patch)
5.1.3
- Total issues resolved: 0
- Total pull requests resolved: 1
- Total contributors: 1
bug
Contributors
Assets 2
5.1.2
Release Notes for 5.1.2
5.1.x bugfix release (patch)
5.1.2
- Total issues resolved: 2
- Total pull requests resolved: 5
- Total contributors: 3
bug
- 696: Malformed phpdoc tag in PublicKeyCredentialEntity thanks to @Spomky
- 695: Bugs/index length thanks to @Spomky
- 694: Fix trust path handling and improve assertions thanks to @Spomky and @Morthy
- 687: Update WebAuthn method calls to use object parameters thanks to @Spomky
DX
Contributors
Assets 2
5.1.1
Release Notes for 5.1.1
5.1.x bugfix release (patch)
5.1.1
-
Total issues resolved: 0
-
Total pull requests resolved: 2
-
Total contributors: 1
-
678: Set a length limit for publicKeyCredentialId field thanks to @Spomky
-
677: Update build process and dependency versions thanks to @Spomky