Preparing v0.14.3 release.

NREL · Jul 13, 2017 · b699733 · b699733
1 parent 82dfe06
commit b699733
Show file tree

Hide file tree

Showing 9 changed files with 50 additions and 12 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,41 @@
 # API Umbrella Change Log
 
+## 0.14.3 (2017-07-13)
+
+This update contains a few bug fixes and some potential security fixes. Upgrading is recommended.
+
+### Upgrade Instructions
+
+If you're upgrading a previous API Umbrella version, you may upgrade the `api-umbrella` package using your package manager.
+
+### Changed
+
+- **Make web-app timeouts configurable:** Timeouts in the Rails web application are now configurable. ([bfe3f06](https://github.com/NREL/api-umbrella/commit/bfe3f06b53a1444aa346962e47d13b90782b87a3))
+- **On admin sign in with Google, prompt for specific account:** When the admin tool is configured to use Google for logins, always prompt for which Google account to use. ([c11ea16](https://github.com/NREL/api-umbrella/commit/c11ea1666a0b0287e1764ed031e42342a987e795))
+- **Search behavior in admin APIs:** The free-form text search functionality provided by most of the admin APIs has been tweaked slightly. Now searching for an ID requires a full match instead of a partial match, and the "admins" API endpoint no longer searches the authentication token field. ([e936932](https://github.com/NREL/api-umbrella/commit/e936932bfce1c42b7c10b8c9e391f0d0b66e54c3), [aac482e](https://github.com/NREL/api-umbrella/commit/aac482e4c931e5de4d639a6cc5e94c11348d064c))
+- **Upgrade bundled software dependencies:**
+  - MongoDB 3.2.13 -\> 3.2.15
+  - OpenResty 1.11.2.3 -\> 1.11.2.4 (security update: [CVE-2017-7529](http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html))
+  - Rsyslog 8.27.0 -\> 8.28.0
+
+### Fixed
+
+- **Fix logrotation inside Docker container:** Log files could grow unbounded in size inside the API Umbrella Docker container. ([#365](https://github.com/NREL/api-umbrella/issues/365))
+- **Fix the default "contact us" form:** A regression in v0.14.0 broke the default contact form's ability to send e-mails. ([api.data.gov#390](https://github.com/18F/api.data.gov/issues/390))
+- **Fix logging data to authenticated Elasticsearch:** If using a custom Elasticsearch instance that uses HTTP basic authentication, this should work now. ([eae9553](https://github.com/NREL/api-umbrella/commit/eae95531b7b262cd59e9ecd8947079eaae5163d6))
+- **Fix an internal analytics endpoint:** A regression in v0.14.0 broke a non-public API endpoint for summary analytics. ([api.data.gov#387](https://github.com/18F/api.data.gov/issues/387))
+
+### Security
+
+- **Fix admin password hashes exposure:**
+  - If you use the local authentication mechanism for logging into the admin (new in v0.14.0 and the default), then upgrading to API Umbrella v0.14.3 is highly recommended.
+  - If you rely only on external login providers (Google, GitHub, etc), then this issue should *not* affect your installation.
+  - This issue could lead to the password hashes for admins being exposed to other admin users. Similarly, hashed password reset tokens or account unlock tokens could also be exposed to other admin users.
+  - No plain text passwords or tokens would have been exposed, and these hashes would have only been exposed to other API Umbrella admin users. So the likelihood of this information being exploitable is hopefully very low (the hashes are considered strong and not easy to brute force), but upgrading is recommended to remedy this. You'll also want to weigh the risks for your installation, but it would be prudent to instruct your admins to resets their password.
+  - Hash details: The exposed password hashes would have been hashed using bcrypt (with a cost factor of 11), and the exposed reset/unlock tokens would have been hashed using HMAC-256 (with the key being a random 128 character string, or the `web.rails_secret_token` value if you manually set that in your config). ([82dfe06](https://github.com/NREL/api-umbrella/commit/82dfe0641d0b43e2a634bbc8a1a820a78c93721d))
+- **Updated bundled dependencies:**
+  - OpenResty to 1.11.2.4 ([CVE-2017-7529](http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html))
+
 ## 0.14.2 (2017-05-26)
 
 This update contains a few bug fixes. Upgrading is recommended.
@@ -18,7 +54,7 @@ If you're upgrading a previous API Umbrella version, you may upgrade the `api-um
 ### Fixed
 
 - **Fix removing last item from array fields in admin:** A regression in v0.14.0 prevented admins from removing the last items in certain array fields in the admin (for example, removing all roles from a user or API). ([#367](https://github.com/NREL/api-umbrella/issues/367))
-- **Fix SSL validation against external Elasticsearch databse:** Allow for explicit configuration of SSL settings when connecting to an external Elasticsearch database that is using HTTPS. Thanks to [@martinzuern](https://github.com/martinzuern). ([#364](https://github.com/NREL/api-umbrella/issues/364))
+- **Fix SSL validation against external Elasticsearch database:** Allow for explicit configuration of SSL settings when connecting to an external Elasticsearch database that is using HTTPS. Thanks to [@martinzuern](https://github.com/martinzuern). ([#364](https://github.com/NREL/api-umbrella/issues/364))
 - **Increase default memory storge for configuration data**: Increase the default memory allocated for storing the live API backend configuration data from 600KB to 3MB to prevent potential issues when publishing lots of API backends. ([api.data.gov#385](https://github.com/18F/api.data.gov/issues/385))
 
 ## 0.14.1 (2017-04-23)

diff --git a/build/package/verify/download_previous_packages b/build/package/verify/download_previous_packages
@@ -18,6 +18,7 @@ previous_versions=(
   0.13.0-1
   0.14.0-1
   0.14.1-1
+  0.14.2-1
 )
 
 distros=(

diff --git a/build/package/verify/spec/localhost/service_spec.rb b/build/package/verify/spec/localhost/service_spec.rb
@@ -661,4 +661,5 @@ def install_package(version)
   it_behaves_like "package upgrade", "0.13.0-1"
   it_behaves_like "package upgrade", "0.14.0-1"
   it_behaves_like "package upgrade", "0.14.1-1"
+  it_behaves_like "package upgrade", "0.14.2-1"
 end
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -1,6 +1,6 @@
 FROM debian:jessie
 
-ENV API_UMBRELLA_VERSION 0.14.2-1~jessie
+ENV API_UMBRELLA_VERSION 0.14.3-1~jessie
 
 # Install API Umbrella
 RUN echo "deb http://dl.bintray.com/nrel/api-umbrella-debian jessie main" >> /etc/apt/sources.list.d/api-umbrella.list

diff --git a/docs/conf.py b/docs/conf.py
@@ -57,9 +57,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = '0.14.2'
+version = '0.14.3'
 # The full version, including alpha/beta/rc tags.
-release = '0.14.2'
+release = '0.14.3'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

diff --git a/docs/developer/compiling-from-source.md b/docs/developer/compiling-from-source.md
@@ -11,9 +11,9 @@ Installing from a [binary package](../getting-started.html#installation) is reco
 ## Compiling & Installing
 
 ```sh
-$ curl -OLJ https://github.com/NREL/api-umbrella/archive/v0.14.2.tar.gz
-$ tar -xvf api-umbrella-0.14.2.tar.gz
-$ cd api-umbrella-0.14.2
+$ curl -OLJ https://github.com/NREL/api-umbrella/archive/v0.14.3.tar.gz
+$ tar -xvf api-umbrella-0.14.3.tar.gz
+$ cd api-umbrella-0.14.3
 $ sudo ./build/scripts/install_build_dependencies
 $ ./configure
 $ make

diff --git a/src/api-umbrella/version.txt b/src/api-umbrella/version.txt
@@ -1 +1 @@
-0.14.2
+0.14.3
diff --git a/website/source/index.html.erb b/website/source/index.html.erb
@@ -19,7 +19,7 @@ title: API Umbrella - Open Source API Management
         </div>
         <img class="img-responsive img-center" src="images/overview.png" data-at2x="images/overview@2x.png" alt="" width="676" height="266">
         <div class="links">
-          Version 0.14.2&nbsp;&nbsp;&nbsp;&nbsp;&sdot;&nbsp;&nbsp;&nbsp;&nbsp;<a href="https://github.com/NREL/api-umbrella"><i class="fa fa-github" aria-hidden="true"></i>GitHub Project</a>
+          Version 0.14.3&nbsp;&nbsp;&nbsp;&nbsp;&sdot;&nbsp;&nbsp;&nbsp;&nbsp;<a href="https://github.com/NREL/api-umbrella"><i class="fa fa-github" aria-hidden="true"></i>GitHub Project</a>
         </div>
       </div>
     </div>

diff --git a/website/source/install.html.erb b/website/source/install.html.erb
@@ -67,9 +67,9 @@ sudo yum install api-umbrella</pre>
 
   <div id="other" class="platform-download" style="display: none;">
     <p>We build binary packages for a variety of Linux distributions. These binary packages are the recommended way to install API Umbrella. However, if binary packages aren't available, you can also compile from source (also, please <a href="https://github.com/NREL/api-umbrella/issues">let us know</a> if you'd like to see binaries for other operating systems):</p>
-    <pre>$ curl -OLJ https://github.com/NREL/api-umbrella/archive/v0.14.2.tar.gz
-$ tar -xvf api-umbrella-0.14.2.tar.gz
-$ cd api-umbrella-0.14.2
+    <pre>$ curl -OLJ https://github.com/NREL/api-umbrella/archive/v0.14.3.tar.gz
+$ tar -xvf api-umbrella-0.14.3.tar.gz
+$ cd api-umbrella-0.14.3
 $ make
 $ sudo make install</pre>
   </div>