v1.5.6-beta

v1.5.6-beta Release Notes - Dec 9, 2022

v1.5.6-beta is a beta release, providing updates for the following issues in the Fabric CA:

• Builds native arm64 CA binaries for linux and darwin
• Builds multi-platform CA docker images for arm64 and amd64 with buildx

Dependencies

Fabric CA v1.5.6 has been tested with the following dependencies:

• Go 1.18.8
• Alpine 3.17 (for Docker images)

Changes, Known Issues, and Workarounds

None.

Known Vulnerabilities

• FABC-174 Commands can be manipulated to delete identities or affiliations

  This vulnerability can be resolved in one of two ways:

  1. Use HTTPS (TLS) so that the authorization header is not in clear text.

  2. The token generation/authentication mechanism was improved to optionally prevent
     token reuse. As of v1.4 a more secure token can be used by setting environment variable:

  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false

  However, it cannot be set to false until all clients have
  been updated to generate the more secure token and tolerate
  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false.
  The Fabric CA client has been updated in v1.4 to generate the more secure token.
  The Fabric SDKs will be updated by v2.0 timeframe to generate the more secure token,
  at which time the default for Fabric CA server will change to:
  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false

Resolved Vulnerabilities

None.

v1.5.5

v1.5.5 Release Notes - July 8, 2022

v1.5.5 is a maintenance release, providing updates for the following issues in the Fabric CA:

• Closes Issue #305 : Issue with re-enrolling certificates

Dependencies

Fabric CA v1.5.5 has been tested with the following dependencies:

• Go 1.18.2
• Alpine 3.16 (for Docker images)

Changes, Known Issues, and Workarounds

None.

Known Vulnerabilities

• FABC-174 Commands can be manipulated to delete identities or affiliations

  This vulnerability can be resolved in one of two ways:

  1. Use HTTPS (TLS) so that the authorization header is not in clear text.

  2. The token generation/authentication mechanism was improved to optionally prevent
     token reuse. As of v1.4 a more secure token can be used by setting environment variable:

  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false

  However, it cannot be set to false until all clients have
  been updated to generate the more secure token and tolerate
  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false.
  The Fabric CA client has been updated in v1.4 to generate the more secure token.
  The Fabric SDKs will be updated by v2.0 timeframe to generate the more secure token,
  at which time the default for Fabric CA server will change to:
  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false

Resolved Vulnerabilities

None.

Changes:

• 9d2a312 Release commit for v1.5.5
• 1f16304 Revert "Idemix MSP Folder Structure incompatible with what Fabric expects #303"
• 98dfc86 Revert "fixup! Idemix MSP Folder Structure incompatible with what Fabric expects #303"
• f2fed4d Revert "create idemix user folder under root folder"
• 65315b2 Revert "fixup! create idemix user folder under root folder"
• fac0ce6 Revert "fixup! create idemix user folder under root folder"
• 77c54da fixup! create idemix user folder under root folder
• dfd29fe fixup! create idemix user folder under root folder
• 0fcf897 create idemix user folder under root folder
• 29e083e fixup! Idemix MSP Folder Structure incompatible with what Fabric expects #303

See More

• acea746 Idemix MSP Folder Structure incompatible with what Fabric expects #303
• 3be7a15 Correct handling of CA VerifyOptions (#306)

This list of changes was auto generated.

v1.5.4

v1.5.4 Release Notes - June 17, 2022

Release v1.5.4 updates Fabric CA to use https://github.com/IBM/idemix for the Identity Mixer implementation,
making it possible to issue credentials using various Identity Mixer curves.
The Identity Mixer curve can be configured in the Fabric CA server and client configuration yaml file:

# Specifies the Elliptic Curve used by Identity Mixer.
# It can be any of: {"amcl.Fp256bn", "gurvy.Bn254", "amcl.Fp256Miraclbn"}.
# If unspecified, it defaults to 'amcl.Fp256bn'.
curve: amcl.Fp256bn

Dependencies

Fabric CA v1.5.4 has been tested with the following dependencies:

• Go 1.18.2
• Alpine 3.16 (for Docker images)

Changes, Known Issues, and Workarounds

None.

Known Vulnerabilities

• FABC-174 Commands can be manipulated to delete identities or affiliations

  This vulnerability can be resolved in one of two ways:

  1. Use HTTPS (TLS) so that the authorization header is not in clear text.

  2. The token generation/authentication mechanism was improved to optionally prevent
     token reuse. As of v1.4 a more secure token can be used by setting environment variable:

  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false

  However, it cannot be set to false until all clients have
  been updated to generate the more secure token and tolerate
  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false.
  The Fabric CA client has been updated in v1.4 to generate the more secure token.
  The Fabric SDKs will be updated by v2.0 timeframe to generate the more secure token,
  at which time the default for Fabric CA server will change to:
  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false

Resolved Vulnerabilities

None.

Changes:

• 076f37b Release commit for v1.5.4
• 60ae815 Run "go mod tidy" (#301)
• 9dbdf80 Bump Alpine to 3.16 (#300)
• a0ab179 Update vendor for sys/unix
• e45e347 Update Fabric CA Readme (#296)
• dd6a104 Bump Go to 1.18.2 (#294)
• 78e1f1a Make idemix use Mathlib instead of AMCL directly
• 6a9e85f Nominate Josh and Mark as maintainers
• 7405422 Add OpenAPI Documentation
• 2e79a3e Fix swagger issues

See More

• 90e53e3 Wrong path
• d0e0aba Minor type
• c6bbc4b test: use T.TempDir to create temporary test directory
• 8b815da Prepare for v1.5.4 release
• e960bb9 Cleanup maintainers list

This list of changes was auto generated.

v1.5.3

v1.5.3 Release Notes - April 7, 2022

Release v1.5.3 updates Fabric CA to be compatible with Go 1.17.8.

Additionally, packages that shifted from exported to unexported in v1.5.0 are now exported again.

Dependencies

Fabric CA v1.5.3 has been tested with the following dependencies:

• Go 1.17.8
• Alpine 3.14 (for Docker images)

Changes, Known Issues, and Workarounds

None.

Known Vulnerabilities

• FABC-174 Commands can be manipulated to delete identities or affiliations

  This vulnerability can be resolved in one of two ways:

  1. Use HTTPS (TLS) so that the authorization header is not in clear text.

  2. The token generation/authentication mechanism was improved to optionally prevent
     token reuse. As of v1.4 a more secure token can be used by setting environment variable:

  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false

  However, it cannot be set to false until all clients have
  been updated to generate the more secure token and tolerate
  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false.
  The Fabric CA client has been updated in v1.4 to generate the more secure token.
  The Fabric SDKs will be updated by v2.0 timeframe to generate the more secure token,
  at which time the default for Fabric CA server will change to:
  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false

Resolved Vulnerabilities

None.

Changes:

• 2061c8d Release commit for v1.5.3
• 8651918 Undo breaking changes to exported packages
• c025d5e Bump Go to 1.17.8
• 077518e Fix FVT intermediateca test
• 655a0f9 Remove redundant assignment
• bb85890 Bump fvt mysql to 0.8.22-1
• 6202690 Make server config.go and serverconfig.rst consistent
• 4c5d2ef Fixes for CA deployment guide
• fc42d91 fix expired root.pem certificate - was breaking 8-10 unit test cases
• 19cdbf5 Prepare for next release v1.5.3

This list of changes was auto generated.

v1.5.2

v1.5.2 Release Notes - September 8, 2021

Release v1.5.2 updates Fabric CA to be compatible with Go 1.16.7.

Dependencies

Fabric CA v1.5.2 has been tested with the following dependencies:

• Go 1.16.7
• Alpine 3.14 (for Docker images)

Changes, Known Issues, and Workarounds

None.

Known Vulnerabilities

• FABC-174 Commands can be manipulated to delete identities or affiliations

  This vulnerability can be resolved in one of two ways:

  1. Use HTTPS (TLS) so that the authorization header is not in clear text.

  2. The token generation/authentication mechanism was improved to optionally prevent
     token reuse. As of v1.4 a more secure token can be used by setting environment variable:

  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false

  However, it cannot be set to false until all clients have
  been updated to generate the more secure token and tolerate
  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false.
  The Fabric CA client has been updated in v1.4 to generate the more secure token.
  The Fabric SDKs will be updated by v2.0 timeframe to generate the more secure token,
  at which time the default for Fabric CA server will change to:
  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false

Resolved Vulnerabilities

None.

Changes:

• 17b4d1a Release commit for v1.5.2.
• f242447 Update alpine to 3.14
• 073587e Update Go to 1.16.7
• 7026aee Prepare for next release v1.5.2
• f9889d4 Bump Debian
• 916d684 Update CI Pool Image

This list of changes was auto generated.

v1.5.1

v1.5.1 Release Notes - August 16, 2021

Improvements

FABC-931: Re-enroll with existing key even if certificate is expired

As of Fabric CA v1.4.9 it is possible to reenroll and get a certificate using an existing
private/public key pair when passing --csr.keyrequest.reusekey to the Fabric CA
client re-enroll request. This is advantageous especially for TLS certs since it means an
orderer identity can get a certificate with updated expiration without the channel
configuration needing to be updated (as of Fabric v1.4.9 and v2.2.1 when TLS certs
are verified between channel members only the key is checked, the entire certificate
does not need to be identical). However, if the certificate is already expired,
Fabric CA has historically returned an error and did not allow the identity to
reenroll to receive a new certificate.
This improvement allows the client to re-enroll even if the current certificate is expired.
To use the improvement, start the Fabric CA with the configuration option ca.reenrollIgnoreCertExpiry
set to true (or set environment variable FABRIC_CA_SERVER_CA_REENROLLIGNORECERTEXPIRY).
Alternatively, start the Fabric CA with flag --ca.reenrollignorecertexpiry.

Fixes

Release binaries for Linux and Windows that were corrupted in v1.5.0 have been fixed in v1.5.1.

Dependencies

Fabric CA v1.5.1 has been tested with the following dependencies:

• Go 1.15.7
• Alpine 3.13 (for Docker images)

Changes, Known Issues, and Workarounds

None.

Known Vulnerabilities

• FABC-174 Commands can be manipulated to delete identities or affiliations

  This vulnerability can be resolved in one of two ways:

  1. Use HTTPS (TLS) so that the authorization header is not in clear text.

  2. The token generation/authentication mechanism was improved to optionally prevent
     token reuse. As of v1.4 a more secure token can be used by setting environment variable:

  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false

  However, it cannot be set to false until all clients have
  been updated to generate the more secure token and tolerate
  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false.
  The Fabric CA client has been updated in v1.4 to generate the more secure token.
  The Fabric SDKs will be updated by v2.0 timeframe to generate the more secure token,
  at which time the default for Fabric CA server will change to:
  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false

Resolved Vulnerabilities

None.

Changes:

• a01d0ae Build release artifacts on native platforms
• d6f546b Release commit for Fabric CA v1.5.1
• 71436f4 Add native target description in Makefile
• 9b0e156 review comments
• 5c502ff Docs updates
• cb74047 Review comments and added an integration test
• ac256a9 Support ignoring certificate expiry for re-enrolls
• 3852738 521 is not supported anymore
• 2147670 fixed 521 to 512 ecdsa algorithm
• 05fe243 fixed missed double quotation

See More

• 2f05c9a fixed a typo
• 0e750f7 Enable arm64
• 9a9d6ff Bump jinja2 from 2.10.1 to 2.11.3 in /docs
• c8d2ffb Update default branch to main
• 8ea82d3 Update Fabric CA Readme
• 7fd582b Update doc references for main branch
• 99187d5 Update CI to use main branch
• 7bb43f2 Remove local copy of repolint.json
• f960dd4 Prepare for next version Fabric CA v1.5.1
• 6e825cc Add release Target to Release Pipeline
• fd12c1d Change release pipeline service connection

This list of changes was auto generated.

v1.5.0

v1.5.0 Release Notes - March 9, 2021

All improvements and fixes as of Fabric CA v1.4.9 are included in Fabric CA v1.5.0.
Additionally, the following improvements and fixes are included in Fabric CA v1.5.0.

Improvements

FABC-780: TLS v1.3 support

Add support for TLS v1.3

FABC-735: Docker images with Alpine Linux

Hyperledger Fabric CA Docker image will now use Alpine Linux,
a security-oriented, lightweight Linux distribution.

FABC-909: Check If database exists prior to creating

Prior to creating the Fabric CA database, first determine if it exists in MySQL and Postgres databases.
This change enables using a database user that does not have permission to create the database and assumes the database was previously created by an administrator.

Fixes

FABC-902: Identities query for all types of an affiliation fails

Identities query for all types of an affiliation fails with a SQL error.
This fix passes the correct arguments to the query.

FABC-800: Enlarge PEM column for MySQL database from 4096 to 8192

In some scenarios enrollment may fail with error:
"Certificate signing failure: Failed to insert record into database: Error 1406: Data too long for column 'pem' at row 1".
This fix expands the database column from 4096 to 8192.

FABC-913: Set a primary key on users table for SQLite

When using SQLite, duplicate registration of the same ID could occur depending on timing. Subsequently the ID would not be usable.
This fix sets a primary key of id on users table for SQLite to prevent duplicate entries.

FABC-832: Certificate NotBefore date can not be before CA Cert NotBefore date

Enrollment certificate requests using a NotBefore date prior to the CA certificate NotBefore
date will now get reset to use the CA certificate's NotBefore date.

Dependencies

Fabric CA v1.5.0 includes updated Go dependencies.

Fabric CA v1.5.0 has been tested with the following dependencies:

• Go 1.15.7
• Alpine 3.13 (for Docker images)

Changes, Known Issues, and Workarounds

None.

Known Vulnerabilities

• FABC-174 Commands can be manipulated to delete identities or affiliations

  This vulnerability can be resolved in one of two ways:

  1. Use HTTPS (TLS) so that the authorization header is not in clear text.

  2. The token generation/authentication mechanism was improved to optionally prevent
     token reuse. As of v1.4 a more secure token can be used by setting environment variable:

  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false

  However, it cannot be set to false until all clients have
  been updated to generate the more secure token and tolerate
  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false.
  The Fabric CA client has been updated in v1.4 to generate the more secure token.
  The Fabric SDKs will be updated by v2.0 timeframe to generate the more secure token,
  at which time the default for Fabric CA server will change to:
  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false

Resolved Vulnerabilities

None.

Changes:

• 5fb298c Fabric CA v1.5.0 release commit.
• c239845 Add Release Pipeline
• b8bb426 Update Go module dependencies for fabric v1.4.11
• 4305db7 Add repolinter support
• 70634d4 Update next version to v1.5.0
• 8433aeb Bump Go and Alpine Versions
• d632b73 Change test function to a suitable name
• b90288c Ensure keystore stays under clientHome in test
• 2855915 Fix typos
• 6bc1ddc Remove unused util.ViperUnmarshal function

See More

• 5689bad Remove unnecessary BCCSP mock
• 6539de7 Use testify/assert more consistently in util tests
• 84e9bb7 Update copyright headers in util package
• e0e3ed4 Address remaining shellcheck items in scripts
• 3be386c Simplify check_lint and get rid of warning noise
• 968f49b Remove 'git log' to fix shellcheck quoting issue
• e89a694 Use year instead of ISO week year in dates
• 05f2334 Fix changelog generation script
• 96a3bef Remove unused add-user.ldif from scripts
• 2c88121 Remove GOPATH and treat as a go module
• 5b5ab07 Update modules after removing unused code
• 0bc2b02 Remove unused fvt/docker-compose.yml
• bf44985 Remove references to GOPATH from scripts/fvt
• 3d3a776 Remove GOPATH from top-level scripts
• 50cdfc6 Remove dead ServerInfoResponseNet struct
• d6eb77f Unexport attr.Exists
• 6b5f9c1 Remove duplicate LICENSE file
• 2f6cd0c Unexport cert decoder storeCert, remove dead code
• 3b50c81 Unexport internal utility functions
• 85fe102 Move StrContained and IsSubsetOf to callers
• 41ef8f8 Unexport util.DecodeToken
• 0a45b2e Remove "temporarily" commented out tests
• 455dcaf Remove unused util.RemoveQuotes
• e3ed604 Remove unused util.ECDSASignature structure
• d3b8a69 Move revocation reason codes to consumer
• 1415917 Remove unreferenced scripts in fvt/utils
• 87868e2 Remove unreferenced files in scripts/fvt/staging
• 392b9bb Remove duplicated generated file logic in checks
• 7839ea5 Remove unused scripts/multiarch.sh
• 5b83955 Remove unused run_safesql_scan script
• e39ba36 Use _ for set-before-ref arg flagged by linting
• 9e3616c Remove unused argument from test helper
• e8e2935 Address unconditional break flagged by linting
• bfb0431 Use switch w/fallthrough for migration logic
• 98121cc Address ineffectual assignments flagged by linting
• 59ac6ff Simplify code patterns highlighted by linting
• 3ad1b02 Remove or use references flagged unused by linting
• 30ab42d Remove dead code flagged by linting
• 82d2fb4 Remove integration folder as code does not compile
• 09aeebd Remove commented out utility code
• b2a82b9 Convert errorTest to closure within test func
• c827213 Remove unnecessary mspDir const from test
• e284da2 Remove fabric-ca-load-tester
• d510ff3 Move tests back to _test package, simplify stubs
• c54a7c7 [FABC-909] Check If DB Exists
• 09623fd Corrected Typo
• 7e290c8 changes in certificate tests
• 9ea6836 certificate NotBefore date can not be before CA Cert NotBefore date
• 0392afe Op guide fixes (#204)
• 7b4f347 Update vendored dependencies (#202)
• 87591fb Fix link for swagger online editor
• 43ec76b Move to Go 1.15.5
• d0dca45 small clarification on org msp folder
• 6c8c516 Fix a typo in users-guide (#196)
• 41d4b3f Allow reenroll to reuse existing private key
• a07c3fe Edits to use a CA
• 8a07eef [FABC-920] Modify cdr command in README
• 517b16c Simplify profiling links in README.md
• b40b0eb Move StartNonceSweeper out of NonceManager constructor
• 808e3a3 Remove duplicate error log when deleting expired nonces
• 5fda489 Fix the indentation in the NodeOU source code
• 3a1323d [FAB-17702] Use a CA
• fc84b4f [FABC-912] Remove label and pin from logs
• 6350514 Run unit tests with and without pkcs11 tags
• 5180751 [FABC-829] Add hf.AffiliationMgr and hf.GenCRL attributes to migrated (#159)
• 2a83d33 [FABC-913] Set a primary key to users table for SQLite
• 240cee8 Bump Go and Alpine Versions
• e95ef80 CI should be exercising integration tests
• e69e4df Remove unnecessary docker make vars and doc update
• 0df7b51 Remove unused env vars in fabric-ca_setup.sh
• 53b7e62...

v1.4.9

v1.4.9 Release Notes - September 30, 2020

Fixes

FABC-914: fabric-ca-client - Allow reenroll request to utilize existing private key

fabric-ca-client reenroll command always generated a new private key in the certificate signing request.
This fix allows reenroll command to use the existing private key by setting the
--csr.keyrequest.reusekey flag. This may be important if the previously issued certificate is going to be expired soon
and needs to be re-issued, without updating the public key within the certificate.
Note that reenroll will fail if the previously issued certificate has already expired.

Dependencies

Fabric CA v1.4.9 has been tested with the following dependencies:

• Go 1.13.12
• Fabric baseimage 0.4.21

Changes, Known Issues, and Workarounds

None.

Known Vulnerabilities

• FABC-174 Commands can be manipulated to delete identities or affiliations

  This vulnerability can be resolved in one of two ways:

  1. Use HTTPS (TLS) so that the authorization header is not in clear text.

  2. The token generation/authentication mechanism was improved to optionally prevent
     token reuse. In v1.4 a more secure token can be used by setting environment variable:

  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false

  However, it cannot be set to false until all clients have
  been updated to generate the more secure token and tolerate
  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false.
  The Fabric CA client has been updated in v1.4 to generate the more secure token.
  The Fabric SDKs will be updated by v2.0 timeframe to generate the more secure token,
  at which time the default for Fabric CA server will change to:
  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false

Resolved Vulnerabilities

None.

Change log

For the full list of changes, refer to the release change log:
https://github.com/hyperledger/fabric-ca/blob/release-1.4/CHANGELOG.md#v149

Changes:

• 44fffab Release commit for Fabric-CA v1.4.9
• e709511 Add v1.4.9 release notes.
• 8ac7348 Allow reenroll to reuse existing private key
• 4d53ed8 Edits to use a CA

This list of changes was auto generated.

v1.4.8

v1.4.8 Release Notes - July 31, 2020

Fixes

FABC-829: Newly introduced attributes should be given to admin users

Fabric CA version v1.1.0 added attributes hf.AffiliationMgr and hf.GenCRL, however
these attributes have never been assigned to users. This fix provides registrar users
(users with a hf.Registrar.Roles attribute) the hf.AffiliationMgr and hf.GenCRL attributes,
so that the user has the corresponding permissions.

FABC-911: Suppress duplicate error messages

Unnecessary repeated error message "Failed to remove expired nonces from DB" is now suppressed.

FABC-911: Remove PKCS11 label and pin fields from Fabric CA debug

Remove PKCS11 sensitive label and pin information from Fabric CA debug logs.

Dependency updates

• Bump Go to 1.13.12.
• Bump Fabric baseimage to 0.4.21.

Changes, Known Issues, and Workarounds

None.

Known Vulnerabilities

• FABC-174 Commands can be manipulated to delete identities or affiliations

  This vulnerability can be resolved in one of two ways:

  1. Use HTTPS (TLS) so that the authorization header is not in clear text.

  2. The token generation/authentication mechanism was improved to optionally prevent
     token reuse. In v1.4 a more secure token can be used by setting environment variable:

  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false

  However, it cannot be set to false until all clients have
  been updated to generate the more secure token and tolerate
  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false.
  The Fabric CA client has been updated in v1.4 to generate the more secure token.
  The Fabric SDKs will be updated by v2.0 timeframe to generate the more secure token,
  at which time the default for Fabric CA server will change to:
  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false

Resolved Vulnerabilities

None.

Change log

For the full list of changes, refer to the release change log:
https://github.com/hyperledger/fabric-ca/blob/release-1.4/CHANGELOG.md#v148

Changes:

• 7653f06 Release commit for Fabric CA v1.4.8
• 146b8be Bump Go to 1.13.12
• f8b233c Move StartNonceSweeper out of NonceManager constructor (bp #181) (#182)
• b6aa376 [FABC-912] Remove label and pin from logs
• f96ceb9 Fix the indentation in the NodeOU source code
• b10a159 [FAB-17702] Use a CA
• fcda8bb [FABC-829] Add hf.AffiliationMgr and hf.GenCRL attributes to migrated (#159)
• f9a3427 Prepare for Fabric CA v1.4.8

This list of changes was auto generated.

v1.4.7

v1.4.7 Release Notes - May 14, 2020

Enhancements

• FABC-904: Add Version Endpoint

  Add a /version endpoint to the operations server which returns the current version of the CA.

Dependency updates

• Bump Go to 1.13.9.
• Bump Fabric baseimage to 0.4.20.
• Bump SQLite to January 2020 revision 9bdaffc12bf8be15afceb51bb60851edd4afdff5.
• Bump Fabric BCCSP to April 2020 revision 1f0a0dd5316310d299a02f0588db3f7ec50c965e.

Changes, Known Issues, and Workarounds

None.

Known Vulnerabilities

• FABC-174 Commands can be manipulated to delete identities or affiliations

  This vulnerability can be resolved in one of two ways:

  1. Use HTTPS (TLS) so that the authorization header is not in clear text.

  2. The token generation/authentication mechanism was improved to optionally prevent
     token reuse. In v1.4 a more secure token can be used by setting environment variable:

  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false

  However, it cannot be set to false until all clients have
  been updated to generate the more secure token and tolerate
  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false.
  The Fabric CA client has been updated in v1.4 to generate the more secure token.
  The Fabric SDKs will be updated by v2.0 timeframe to generate the more secure token,
  at which time the default for Fabric CA server will change to:
  FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3=false

Resolved Vulnerabilities

None.

Change log

For the full list of changes, refer to the release change log:
https://github.com/hyperledger/fabric-ca/blob/release-1.4/CHANGELOG.md#v147

Changes:

• 1960b3f Update CI publish target
• a1c4796 Release Fabric CA v1.4.7
• c1e4403 [FAB-17438] Fabric CA Deployment Guide
• 287ea31 Add operations guide to the toc in the release-1.4 branch
• 0a6179f Add support for .md files and variable replacement in /docs
• 56e16da [FABC-904] Add Version Endpoint
• 1dcf373 Back port Operations Guide to release-1.4 branch
• 47c3854 Move AZP file to correct place
• 03f35b4 [FABC-907] Update Go to 1.13
• 5c1b961 Replace LabelHelp with info in doc template

See More

• 15d676f Add metrics doc generation to docs make target
• a4e6a01 Pin fabric dependencies to specific releases
• 789f83c Cleanup vendor.json and bring in bccsp from 1.4
• 5616f18 Update release make targets
• 505df12 Remove call to InitFactories (#108)
• 4e2a19a Prepare for fabric-ca v1.4.7

This list of changes was auto generated.