cat-announce AT lists.geant.org

Subject: annoucements about the service and software of CAT

List archive

[cat-announce] Release of CAT-1.1

From: annoucements about the service and software of CAT <cat-announce AT geant.net>
To: "cat-users AT geant.net" <cat-users AT geant.net>, cat-announce AT geant.net
Subject: [cat-announce] Release of CAT-1.1
Date: Fri, 17 Apr 2015 10:51:15 +0200
List-archive: <https://mail.geant.net/mailman/private/cat-announce/>
List-id: annoucements about the service and software of CAT <cat-announce.geant.net>
Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Hello,

we are happy to announce the source code release of CAT-1.1. This is a
new feature release with plenty of new things in it.

Please see the "What's new" page on the Wiki for an overview:

https://wiki.terena.org/pages/viewpage.action?pageId=38896414

Or the full changelog of all development steps (alpha/beta/release)
below (long!).

This new release comes with the record number of 15 languages! You will
be able to use CAT in the languages

PT PL EN DE FI CA_ES ES_ES GL_ES HR EL IT NB SR SL HU

We are currently testing this new version and are confident to have
cat.eduroam.org on that release by the end of the month.

I would like to say a big Thank You to everyone involved!

Greetings,

Stefan Winter

Changes in 1.1
==============
- [BUGFIX #1] installer cache problem has been fixed by adding a mime
field to the downloads table in the database, hence a
schema change
- [BUGFIX #2] Linux installer - passwords containing single quote broke
fix suggested by Brian Epstein
<bepstein AT ias.edu>
- [BUGFIX #3] Linux installer - added tkip in group protocol
to support wpa/wpa2 mixed mode
- [BUGFIX #4] Linux installer - the name of local installation
directory changed from .eduroam to .cat_installer
- [BUGFIX #5] Cleared a potential vulnarability in cat_info (item 9
from the audit)
- [BUGFIX #6] Cleared a potential vulnarability in radius_tests.php
(item 11 from the audit)
- [BUGFIX #7] Cleared a potential vulnarability in cat_js.php (item 13
from the audit)
- [BUGFIX #8] Cleared a potential vulnarability in index.php (item 20
from the audit)
- [BUGFIX #9] Added server hardening best practices in the
Configuration tutorial (closing items D2 and D4 of the
audit)
- [BUGFIX #10] Input sanitisation in productheader() improved (closes
item 7 from the source code audit)
- [BUGFIX #11] all other source code audit issues fixed
- [BUGFIX #12] removed XP support and Win Vista and 7 support for TTLS
due to open licensing questions on a particular
third-party helper program
- [FEATURE #1] Added a new eap-config device and two instances of
Android devices all based on the generic XML device
- [FEATURE #2] added verbose copyright and licensing information, see
footer

Changes in 1.1-beta1
====================
- [FEATURE #1] added two more certificate checks:
CERTPROB_OUTSIDE_VALIDITY_PERIOD
CERTPROB_SERVER_CERT_REVOKED
the latter can only be checked if a valid CDP is in the
server certificate; and only for own realms, not others
- [FEATURE #2] use PHPMailer to send emails, in order to land in less
spam traps requires new config section
Config::$MAILSETTINGS (see below)
always sends via Submission (TCP/587)
- [FEATURE #3] Invitation mails can be sent to multiple mail addresses,
but
- only the first consumer of the token gets access
- need to specify only raw mail addresses, no real
names nor <mail.addr> brace notation

Configuration parameter changes
-------------------------------
[NEW] Config::$MAILSETTINGS['host']
[NEW] Config::$MAILSETTINGS['user']
[NEW] Config::$MAILSETTINGS['pass']

Changes in 1.1-alpha1
=====================
- [BUGFIX #1] fix one profile tag for W8 TTLS-MSCHAPv2
- [BUGFIX #2] certificates did not get installed for W8 TTLS
- [BUGFIX #3] temporary directory cleanup did not work
- [BUGFIX #4] Fixes to messages displayed by the XP module
- [BUGFIX #5] Changed info on profiles to be installed in case there
is only one
- [BUGFIX #6] Linux module fix - user confirmation function
- [BUGFIX #7] Windows TLS modules did not allow users to unset the
installation of the PFX file
- [BUGFIX #8] Corrected match pattern for Windows 8.1
- [BUGFIX #9] Linux module - incorrect behaviur with some special
chracters in passwords

- [FEATURE #1] admin interface allows admin to select wired interfaces
as target not all installers actually support that yet
- [FEATURE #2] Better support for internal EAP and non-EAP methods
- [FEATURE #3] Generic XML profile support added
- [FEATURE #4] in federation overview, show if your IdPs have a
complete config and/or make their installers available
for end users on the UI (on first call of overview page
after upgrade from 1.0, some conversions take place and
the overview takes longer than usual)
- [FEATURE #5] visualise with RED letters if admin uploaded a server
cert instead of a CA
- [FEATURE #6] thoroughness of UDP reachability checks was VASTLY
improved. List of error conditions now recognised:
CERTPROB_ROOT_INCLUDED
CERTPROB_TOO_MANY_SERVER_CERTS
CERTPROB_NO_SERVER_CERT
CERTPROB_MD5_SIGNATURE_SERVER
CERTPROB_MD5_SIGNATURE_INTERMEDIATE
CERTPROB_NO_TLS_WEBSERVER_OID
CERTPROB_NO_CDP_HTTP
CERTPROB_NO_CRL_AT_CDP_URL
CERTPROB_TRUST_ROOT_NOT_REACHED
CERTPROB_TRUST_ROOT_REACHED_ONLY_WITH_OOB_INTERMEDIATES
CERTPROB_LOW_KEY_LENGTH
CERTPROB_SERVER_NAME_MISMATCH
CERTPROB_SERVER_NAME_PARTIAL_MATCH
CERTPROB_NOT_A_HOSTNAME
CERTPROB_WILDCARD_IN_NAME
- [FEATURE #7] This feature has been reversed, number is lef for
consistency
- [FEATURE #8] Mac OS, iOS: support wired ethernet configuration
- [FEATURE #9] Simple text inteface to TOU display
- [FEATURE #10]A changed approach to JSON transfer schema as an openning
for an access API (including TOU pointer)
- [FEATURE #11] Logos generated for DiscoJuice are now cached in the
filesystem
- [FEATURE #12] New layout of the download page
- [FEATURE #13] The device id can be passed to the GUI to replace the
OS selfdetection
- [FEATURE #14] Hotspot 2.0: now generate Mac/iOS profiles with
consortium OIs
- [FEATURE #15] background image of windows installers now generated
dynamically, not hard-wired to the eduroam name and
logo any more (file devices/ms/Files/cat_bg.bmp is now
obsolete)
- [FEATURE #16] Silent installer (proper handling of /S flag).
- [FEATURE #17] In case of OS version missmatch Windows installers
display a more explicit message
- [FEATURE #18] A new design of RADIUS tests
- [FEATURE #19] Modification to the users pages layout - mainly footer
handling
- [FEATURE #20] Installed download no longer handled via direct links to
temporary directories
- [FEATURE #21] Added isAuthenticated function to auth.in.php
- [FEATURE #22] Significant code optimisation for the generic XML module
- [FEATURE #23] Added sorting option to listProfiles in UserAPI
- [FEATURE #24] Added timestamping support to Windows code signing
- [FEATURE #25] QR codes now include the consortium logo (10% symbol
obstruction, 25% allowed)
- [FEATURE #26] Windows installer - moved the debug log file to the
Documents directory
- [FEATURE #27] Linux installer - force WPA2/AES
- [FEATURE #28] Support for additions messages displayed before download
and configurable globally in devices.php, can be used
for legacy devices
- [FEATURE #29] Support for unsupported devices that can be shown when
device-specific redirects
are set
- [FEATURE #30] Core and Windows support for profile deletion (also
including the Consrtium TKIP profile)
- [FEATURE #31] MacOS and iOS can't delete SSIDs, but will now instead
install
the bootstrap SSID as no-auto-connect, effectively
disabling it
- [FEATURE #32] When creating a new CAT inst from eduroam DB, prefill
email field
with the names and mails from eduroam DB
- [FEATURE #33] Smartphone interface has been completely redesigned
- [FEATURE #34] EAP-TLS support for Mac OS X enabled; remains disabled
for iOS
- [FEATURE #35] Support mode (showing hidden devices) enabled in the GUI

- [STRUCTURE #1] web/user/GUI.php renamed to core/UserAPI.php
- [STRUCTURE #2] web/user/cat_back.php renamed to web/user/API.php
- [STRUCTURE #3] updated PHP requirements to 5.5
- [STRUCTURE #4] SSIDs, wired, delete-bootstrap, consortium-OI are now
their own
configuration category ("Media")

Configuration parameter changes
-------------------------------
[NEW] Config::$PATHS['c_rehash']
path to openssl's CA name hashing tool
[NEW] Config::$CONSORTIUM['interworking-consortium-oi']
array of sonsortium OIs which should be configured in
installers
[NEW] Config::$APPEARANCE['colour1']
the "light" main color of the user interface
[NEW] Config::$APPEARANCE['colour2']
the "dark" main color of the user interface
[OBSOLETE] Config::$PATHS['rad_eap_test']
wo don't need this wrapper any more, using eapol_test
directly
[OBSOLETE] Config::$PATHS['qrencode']
wo don't need this any more, QRs are generated with a
library

Schema changes
--------------
profile:QR-user is now obsolete (no need for persistent storage of QR code)
general:SSID has been renamed to media:SSID
general:SSID_with_legacy has been renamed to media:SSID_with_legacy

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

[cat-announce] Release of CAT-1.1, annoucements about the service and software of CAT, 04/17/2015