• Fixed ACME acme_url SSRF (GHSA-v2wp-frmc-5q3v_) where a user-supplied directory URL was fetched
  server-side with no validation, allowing IMDS and internal network access. acme_url is now validated
  against ACME_DIRECTORY_HOST_ALLOWLIST at authority creation time. Default allowlist covers Let's Encrypt
  prod/staging and GTS; operators extend it via config for internal or additional ACME CAs.
• Enhanced private key export audit log (GHSA-v2wp-frmc-5q3v_) to record access_via (creator vs. rbac),
  creator_id, and current_owner on every /certificates/<id>/key fetch, making post-ownership-transfer
  creator access visible in the audit trail.
• Fixed JWT algorithm confusion vulnerability (GHSA-r9gp-7f88-9r54_) where the JWT verifier accepted the
  algorithm name from the unverified token header instead of pinning it server-side. The server now reads
  the accepted algorithm list from LEMUR_TOKEN_ALGORITHMS (defaults to ["HS256"], which is the only
  algorithm Lemur has ever used to issue tokens). Deployments that have not changed the default are fully
  backward-compatible with no config change required.
• Fixed post-authentication SSRF (GHSA-54vg-pfh7-jq95_) where CRL Distribution Point and OCSP responder URLs
  extracted from uploaded certificate extensions were used as network destinations without validation. Both
  crl_verify and ocsp_verify now reject RFC1918, loopback, and link-local destinations before issuing
  outbound requests. Operators may optionally configure LEMUR_TRUSTED_CRL_HOSTS and LEMUR_TRUSTED_OCSP_HOSTS
  allowlists. The module-level crl_cache is now bounded to 1000 entries to prevent unbounded cache growth.
• Fixed plaintext password storage vulnerability (GHSA-q437-g7fv-2jvv_) where
  users.service.update() wrote new passwords to the database without hashing. The
  before_update SQLAlchemy event listener was missing, so the bcrypt hash applied
  on insert was bypassed on every admin-driven password reset via PUT /api/1/users/<id>.
  Passwords are now hashed before update. Any reset password should be treated
  as compromised and rotated. Run lemur rehash_passwords after upgrading to
  detect and re-hash any cleartext passwords already in the database.
• Fixed privilege escalation (GHSA-x3vf-mgxj-7785_) where any member of a role could rewrite that role's membership
  list, rename the role, or add arbitrary users via PUT /api/1/roles/<id>. The endpoint now requires admin
  permission, consistent with the existing DELETE /api/1/roles/<id> handler.
• Corrected the GHSA-qcqw-jwxc-2hqg fix from 1.9.1. The original fix changed LEMUR_STRICT_ROLE_ENFORCEMENT to
  default True, which broke normal user operations (certificate issuance, notification management, etc.) for
  any deployment where users are assigned custom group roles rather than the built-in admin or operator
  roles. By design, Lemur allows any authenticated user to perform write operations; the read-only role is an
  explicit opt-in restriction for users who should only have read access. The correct fix targets only that case:
  StrictRolePermission now explicitly denies identities carrying the read-only role, regardless of the flag
  value, while permitting all other authenticated users. LEMUR_STRICT_ROLE_ENFORCEMENT is reverted to default
  False; setting it to True restricts write access to admin and operator only, as before.
  ADMIN_ONLY_AUTHORITY_CREATION remains True (authority creation is an admin action).
  Note that by design, any authenticated user (not assigned read-only) retains write access
  to notifications, certificate upload, and domain management. Operators in higher-risk environments
  should evaluate LEMUR_STRICT_ROLE_ENFORCEMENT = True to restrict these operations to admin
  and operator users. See the LEMUR_STRICT_ROLE_ENFORCEMENT documentation for details.

.. _GHSA-v2wp-frmc-5q3v: GHSA-v2wp-frmc-5q3v
.. _GHSA-54vg-pfh7-jq95: GHSA-54vg-pfh7-jq95
.. _GHSA-r9gp-7f88-9r54: GHSA-r9gp-7f88-9r54
.. _GHSA-q437-g7fv-2jvv: GHSA-q437-g7fv-2jvv
.. _GHSA-x3vf-mgxj-7785: GHSA-x3vf-mgxj-7785

• Fixed authorization bypass (GHSA-qcqw-jwxc-2hqg) where StrictRolePermission and AuthorityCreatorPermission
  granted access to any authenticated user on default Lemur installs. Both LEMUR_STRICT_ROLE_ENFORCEMENT and
  ADMIN_ONLY_AUTHORITY_CREATION now default to True (fail-closed). Existing installs that explicitly set
  either flag to False are unaffected.

This release contains fixes for two security vulnerabilities (GHSA-3r34-vq8m-39gh, GHSA-vr7c-r5gj-j3w5).

• Fixed a bug where the old certificate was not removed from an endpoint after rotation.
• Added GcsDestinationPlugin, which allows uploading certificates to Google Cloud Storage.
• Fixed a bug where rotation notifications did not include endpoint context.
• Fixed AttributeError when running lemur CLI commands without a config file.
• Added ENABLE_AUTOROTATION_FILTER: a configurable, plugin-independent callback that can be used to skip enabling autorotate based on your specific business logic. For example, you could disallow enabling autorotate on certs with notifications disabled.
• Added REISSUE_FILTER: a configurable, plugin-independent callback that can be used to reject reissuance requests based on your specific business logic. For example, you could disallow reissuing certs on abandoned ELBs.
• Added AWS_ELB_IGNORE_TAGS to allow multiple ELB tags to be ignored.
• Added support for ignoring CloudFront distributions and IAM certificates via the AWS_CLOUDFRONT_IGNORE_TAGS and AWS_IAM_IGNORE_TAGS config options.
• Added ENABLE_AUTO_ROTATE_ALL_AUTHORITIES configuration to allow all authorities to be considered for destination autorotate task.
• Added CERTIFICATE_UPDATE_REQUEST_VALIDATION: a configurable, plugin-independent callback that can be used to reject requests based on your specific business logic. For example, you could disallow certs with rotate set and no destinations to reduce volume of unused certs.
• Added CERTIFICATE_CREATE_REQUEST_VALIDATION: a configurable, plugin-independent callback that can be used to reject requests based on your specific business logic. For example, you could disallow certs with rotate set and no destinations to reduce volume of unused certs.
• Added CERTIFICATE_EXPORT_KEY_REQUEST_VALIDATION: a configurable, plugin-independent callback that can be used to reject private key export requests based on your specific business logic. For example, you could block specific API keys from exporting private keys for migrated certificates.
• Added the disable_autorotate_without_endpoint celery task, along with a customizable DISABLE_AUTOROTATION_FILTER function you can use to determine when to disable autorotate. By default, nothing will be changed by this task when scheduled.
• Added a new API endpoint /certificates/{certificate_id}/description for updating just the description field of a certificate, avoiding the need to provide the full certificate object for simple description updates.
• Removed support for Postgres 12, Postgres 15, Python 3.9, and Ubuntu 20.04. Added support for Postgres 16.

What's Changed

• Bump requests from 2.31.0 to 2.32.0 by @dependabot in #4858
• Correct publishing workflow by @jtschladen in #4857
• Correct Route53 DNS zone bug by @jtschladen in #4859
• Bump types-paramiko from 3.4.0.20240311 to 3.4.0.20240423 by @dependabot in #4865
• Bump freezegun from 1.5.0 to 1.5.1 by @dependabot in #4860
• Bump flask-mail from 0.9.1 to 0.10.0 by @dependabot in #4863
• Bump flask-limiter from 3.6.0 to 3.7.0 by @dependabot in #4864
• Bump actions/upload-artifact from 3 to 4 by @dependabot in #4862
• Bump actions/download-artifact from 3 to 4 by @dependabot in #4861
• Bump faker from 25.0.1 to 25.4.0 by @dependabot in #4866
• Better default for CIS create authority endpoint by @jmcrawford45 in #4869
• Bump pre-commit from 3.7.0 to 3.7.1 by @dependabot in #4870
• Bump certifi from 2024.2.2 to 2024.6.2 by @dependabot in #4871
• Bump boto3 from 1.34.84 to 1.34.122 by @dependabot in #4874
• Bump acme from 2.10.0 to 2.11.0 by @dependabot in #4873
• Bump validators from 0.28.1 to 0.28.3 by @dependabot in #4867
• Prep release by @jmcrawford45 in #4875

Full Changelog: v1.8.1...v1.8.2

See the CHANGELOG for more details.

See the CHANGELOG for more details.

See the CHANGELOG for more details.

See the CHANGELOG for more details.

See the CHANGELOG for more details.

See the CHANGELOG for more details.