6.3.18.b2532

• Upgrade Tomcat to 10.1.42 to resolve CVE-2025-46701, CVE-2025-48988, CVE-2025-49125, CVE-2025-49124, CVE-2025-48976.
• Minor bug fixes

6.3.16.b2529

• Upgrade Tomcat to 10.1.39 to resolve CVE-2025-24813
• Updated /etc/WiKID/log4j2-syslog.xml

6.3.15.b2526

• Upgrade Tomcat to 10.1.34 to resolve CVE-2024-50379, CVE-2024-54677 and CVE-2024-56337

6.3.12.b2523

• Upgrade Tomcat - fix for CVE-2024-38286 Apache Tomcat - Denial of Service.

6.3.10-b2521

• Fix for potential issue with firewall

6.3.9-b2517/5.4.8-b2651

• NB: Version 5 and 6 are functionally equivalent, but have different packages as 5 is for RHEL/Centos 7 & 8 and version 6 is for RHEL 9.  Version 5 is EOL!
• Tomcat updated CVE-2024-34750
• Improvements in firewall handling (see /opt/WiKID/docs/firewall.txt)
• Bug fixes and improvements
• (Does not yet include a fix for Blast-radius)

Java tokens 5.5.1

• Updated the bundled JRE to 11
• Fixed an issue where domainOveride and useIPBeforeDNS  weren't getting picked up in jw.properties

6.3.5-b2510/5.4.6-b2650

• NB: Version 5 and 6 are functionally equivalent, but have different packages as 5 is for RHEL/Centos 7 & 8 and version 6 is for RHEL 9.
• Security updates for tomcat

6.3.2-b2506/5.4.5-b2557

• NB: Version 5 and 6 are functionally equivalent, but have different packages as 5 is for RHEL/Centos 7 & 8 and version 6 is for RHEL 9.
• ISO moved to Rocky 9.3
• Improved support for Hyper-V. 
• Fix for certain users getting deleted after three years
• Numerous bug fixes and improvements
• Tokens with bundled JRE updated to java 1.8

6.2.2-b2402/5.4.4-b2545

• NB: Version 5 and 6 are functionally equivalent, but have different packages as 5 is for RHEL/Centos 7 & 8 and version 6 is for RHEL 9.
• Additional logging for key exchange
• Fix for not recognizing RHEL as OS
• Fix for tokens/registrations expiring too early

6.2.0-b2401/5.4.0-b2556

• NB: Version 5 and 6 are functionally equivalent, but have different packages as 5 is for RHEL/Centos 7 & 8 and version 6 is for RHEL 9.
• RPM now includes an SBOM in /opt/WiKID/.  Please see this blog post for more information
• Numerous librarys updates for security patches
• Numerous bug fixes and improvements
• Improved database handling
• Systemd support added.

6.1.4-b2324/5.3.5-b2541

• NB: Version 5 and 6 are functionally equivalent, but have different packages as 5 is for RHEL/Centos 7 & 8 and version 6 is for RHEL 9.
• Updated tomcat version to 10.1.14/8.5.95
• Add group functions to wClient and wClientREST APIs
• Minor bug fixes and improvements

6.1.3-b2540/5.3.4-b2540

• NB: Version 5 and 6 are functionally equivalent, but have different packages as 5 is for RHEL/Centos 7 & 8 and version 6 is for RHEL 9.
• Updated tomcat version to 10.1.13/8.5.94
• Change wAuth to return DB connections to the pool after a period of time
• Use a custom TrustManager for authentication
• Fix case where the SSL context wasn't properly initialized
• Add the client IP address to invalid cert connection error message

6.1.2-b2323/5.3.3-b2539

• NB: Version 5 and 6 are functionally equivalent, but have different packages as 5 is for RHEL/Centos 7 & 8 and version 6 is for RHEL 9.
• Updated tomcat version to 10.0.23
• Minor library upgrades
• Minor bug fixes

6.1.0-b2323/5.3.2-b2537

• NB: Version 5 and 6 are functionally equivalent, but have different packages as 5 is for RHEL/Centos 7 & 8 and version 6 is for RHEL 9.
• Move migrartor to the command line.  You can now run it as "migrator unpack' in the same directory as the zip file.
• Minor DB tweeks
• Update libs to match 5.x version

6.1.0-b2321/5.3.2-b2537

• NB: Version 5 and 6 are functionally equal, but have different packages as 5 is for RHEL/Centos 7 & 8 and version 6 is for RHEL 9.
• Update tomcat to 8.5.87
• Added key exchange protocol for clients not yet on RSA
• Various bug fixes and improvements

6.0.2-b2320

• NB: Version 5 and 6 are functionally equal, but have different packages as 5 is for RHEL/Centos 7 & 8 and version 6 is for RHEL 9.
• Fix for missing ipcalc (please install ipcalc if it is missing)
• Removed references to dbmigrate
• Bug fixes in pre-registration process

5.2.2-b2102

• NB: Version 5 and 6 are functionally equal, but have different packages as 5 is for RHEL/Centos 7 & 8 and version 6 is for RHEL 9.
• Updated tomcat version for security vulnerabilityCVE-2022-4288.
• Syntax fix for recognizing Postgresql versions.
• Remove TLS v1.
• Minor bug fixes.

6.0.1-b2319

• Fixed java encryption bug that blocked opening the intermediate CA after java upgrade

6.0.1-b2318

• ISO updated to Rocky 9
• Released migrator.jar to facilitate upgrades
• Upgraded tomcat, postgres and other supporting software
• Upgrade to Log4j 2.19.0
• upgraded to firewalld
• Security updates

5.2.1-b2099

• Security update
• Remove TLS 1
• Upgrade tomcat to 8.5.76 for various security flaws

5.2.0-b2097

• URGENT.  Fix for timecop issue that caused passcode to not expire properly.

5.1.7-b2093

• The Log4J update number four!  log4j-2.17.1   See https://logging.apache.org/log4j/2.x/security.html

5.1.6-b2092

• The Log4J update number three - log4j-2.17.0   For the record, we do not think we were vulnerable to this attack.  See https://logging.apache.org/log4j/2.x/security.html.

5.1.5-b2091

• The Log4J update number two.   For the record, we do not think we were vulnerable to this attack. See https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-log4j-2-16-0-released/. Again, we should not be vulnerable to this attack.  JDNI is not installed on the server.
• Networking fix in setup script - properly set gateway and DNS.

5.1.4-b2090

• The Log4J update!  For the record, we do not think we were vulnerable to this attack.
• Upgrade various libraries for security updates, including Log4J, java, tomcat, resteasy, postgresql-jdbc, libtiff, Google Gauva, nss.

5.0.3-b2082

• Fix for failed derby starts which could affect logging

5.0.2-b2077

• Bug fix for CSRF function on adding administrators

5.0.1-b2072

• Bug fix for missing native Active Directory protocol
• Fix for "otp_complexity" bug.  Assure that field is created during upgrades.

5.0.1-b2071

• Addition of RESTful wClient API
• Numerous performanace improvements, especially for large user databases
• Support for PostgreSQL 9,10 and 11.
• Updated Tomcat server
• Support for external postgres database
• Improved logging system
• Increase network client key strength to 4096
• Set network client key expiration to match intermediate cert
• Updated radius libaries
• Direct issue certificates for white label customers
• Bug fix for licence miscount

4.2.0-b2053

• Fix for potential Cross-site scripting attacks in the WiKIDAdmin WebUI

4.2.0-b2047

• Fix for potential SQL Injection on searchDevices.jsp

4.2.0-b2032

• Detect null socket in wClient and reconnect to avoid NPE stacktrace
• Fix for WiKIDAdmin password output
• Update radius jar file
• Minor bug fixes

4.2.0-b2028

• Update radius library.
• Fix for quick-config tool.
• Fix exception on eap type for non radius NCs.
• Bash script fixes (chown errors).

4.2.0-b2023

• Fix for LEAP RADIUS support and NetMotion 2FA integration.

4.2.0-b2020

• Fix for JVM crash after updating kernel.  Kernel update for CVE-2017-1000364 cause JVM to crash.  Expanded thread stack to fix.

4.2.0-b2016

• Security fix for AD Protocol.  In some instances, the string used to overwrite the passcode failed Windows complexity requirements and the over-write failed and the passcode remained the password.  This fix assures that the string meets Windows complexity requirements.

4.2.0-b2014

• Fix for wClient API > register a user with a pre-registration code without a group membership
• Fix for the radius service not stopping properly

4.2.0-b2007

• Fixes memory leak in wAuth API
• Improved certificate validation for wAuth API
• Support for Centos/RHEL 7
• Dropped support for Centos/RHEL 5 and 32-bit platforms (Centos 5 security updates stop March 2017)

4.2.0-b1984

• Fixed SQL updates scripts.  Fix for missing AD column.
• Add the expiration date patch to timecop to avoid older users/devices being deleted.
• Add device last_activity to token data in wClient API

4.2.0-b1981

• Fix for missing links to add and delete WiKIDAdmin users
• Update for API to better reflect 'last activity'.

4.2.0-b1978

• Completely updated UI for the WiKIDAdmin web interface.
• There's no longer a default password for the WiKIDAdmin (run '/opt/WiKID/sbin/update_wikidadmin_passwd.sh -f' to force a change).  It is created during setup.
• Added templated for logging into the WiKIDAdmin using Active Directory creds, see https://www.wikidsystems.com/support/installation-how-tos/how-to-use-ad-for-wikidadmin-access/.
• Fix wAuth API for complex passwords.
• Return multiple RADIUS attributes if a user is in multiple groups.
• Pre-registration can add a user to a group.

4.1.0-b1955

• Make the one-time passwords for Active Directory meet complexity requirements
• Enable complex one-time passcodes for Active Directory protocol

4.1.0-b1949

• Improved security for the WiKIDAdmin interface, SQLi protections
• Add Owasp ESAPI library support
• Style tweeks and minor UI fixes

4.1.0-b1941

• You can now add a 2nd token to an existing user much more easily. Just use the Manually Add a Token page. No need to use the API.
• There is now  an AD Password reset option - allows AD users to login once with two-factor authentication and then be forced to change their password.
• Improved tomcat security headers for XSS, nosniff and X-Frame options

4.1.0-b1926

• Added native Microsoft Windows two-factor authentication protocol

4.0.2-b1921

• Add logging for WiKID user and device events
• Fix User-agent mapping for Android/BlackBerry and older Android only
• Update debian dependencies to Java 8
• Logging improvements for admins, users

4.0.1-b1821

• Minor UI text changes to clarify new CA system
• Fix for Select All button on User's tab

4.0.1-b1821

• Minor UI text changes to clarify new CA system
• Fix for Select All button on User's tab

4.0.2-b1917

• Fix User-agent mapping for Android/BlackBerry
• Update last activity to include passcode requests
• Update debian dependencies to require Java 8

4.0.1-b1905

• Update to tomcat 8 - NB: requires Java 8
• Fix user counting for users with multiple device registrations.
• Change certs to SHA256

4.0.1-b1906

• Remove references to certs being emailed.

4.0.1-b1817

• Bug fix for DB Connection errors/leaks that could lead to server freezes
• Upgrade db drivers
• Updates to loggers to remove poor warnings

4.0-B1803

• Bug fix for error on Pre-registration page
• Known issue: Your list of pre-registered users may not display. Export to see them or pre-register one user and they should display.

4.0-B1798

• Bug fix for Blank page on Certificate Signing request page
• Bug fix for quick-start setup and Cert upgrade process

4.0-B1787

• Added quick-start configuration option to command line
• Moved to new Certificate and license management system
• Certificate expiration and other warnings
• Enabled Radius by default
• Many small improvements

3.6.0-B1672

• Extend expiration of registered devices
• Fixed bug in null user search
• Improvements to support jar
• Minor UI bug fixes

3.6.0-b1659

• Fixed UI bug where domain name change didn't show in Users list
• UI now shows Enabled/Disabled on Users list
• Fixed bug where domain name change added a '+' for a space (requires 3.1.30 token)

3.5.0-b1580

• J2SE token checks for domain name changes.
• Add user-token report with duplicates pre-fixed with DUP and case ignored.
• Change "Passcode is not a number" to info level logging.
• Added support.jar as an optional support data collector.
• User count on home page is case-insensitive.

3.5.0-b1542

• Performance tuning for high-volume servers with a large number of users.
• Make System.out logs dependent on the log4j setting
• Fixed the 'null' note in edit user
• Pagination and filters added to user page.
• Improved user search. The overall user search function at the top is now a substring search.
• Improved logging.
• Pagination added to log page.

3.5.0-b1472

• Better logic for finding a JDK; also report launch errors in a better way
• Updates to address ldap and sudo issues

3.5.0-b1438

• Set maxlength on radius secret to 128
• comment out unneeded tac_plus build

3.5.0-b1428

• Update for handling CA cert expiration
• Updated arch-setup code
• Updated Utilities RPM - Please update both RPMs.

3.5.0-b1421

• Fix an issue where pre-registration codes were not visible

3.5.0-b1411

• Disable unnecessary HTTP methods

3.5.0-b1403

• Change text back to localhost.p12 and passphrase to match documentation
• Remove weak SSL ciphers for PCI compliance

3.5.0-b1373

• Fix minor typo
• Fix for radius config

3.5.0-b1359

• Enforce password complexity on WiKIDAdmin for PCI Compliance
• Moved Registered URL to bottom. Added link explaining mutual https authentication.
• Simplified radius config options.

3.5.0-b1359

• Enforce password complexity on WiKIDAdmin for PCI Compliance
• Moved Registered URL to bottom. Added link explaining mutual https authentication.
• Simplified radius config options.

3.5.0-b1373

• Fix minor typo
• Fix for radius config

3.5.0-b1403

• Change text back to localhost.p12 and passphrase to match documentation
• Remove weak SSL ciphers for PCI compliance

3.5.0-b1352

• Fixed EAPMD5 issue where the server would validate the passcode but client would still fail
• Fix a bad registration code killing the wClient connection
• Added the ability to update a users "note" via the API
• Fixed valid OTP rejected after invalid OTP is given - radius only
• Fixed issue with mutual https authentication

3.5.0-b1342

• Upgraded Tomcat to version 7
• Add log4j to tomcat libs for clean shutdown
• Fix for radius reports MESSAGE AUTHENTICATOR IS INCORRECT
• Fix for Sorting by Type & Last Activity on user page result in blank page
• Run WiKID as non-Root user (wikid)
• Updates to compile with gcc3
• Release of 64-bit Utitilies RPM
• Add new pre-registration mode for multi-server pre-registration
• Better handling of various java installs
• Fix for MD5 radius errors
• Updated Radius plugin

3.4.87-b1159

• Edit Username after registration
• Token Type listed in User Tab
• Add note to user/token
• Improved Radius start time
• Client port restriction update
• Allow multiple groups per user
• Option to automatically re-enable users after certain time period
• Schema update to support multiple group assignment and precedence.
• Query the database to retrieve a full list of users for audit purposes

3.4.87-b1092

• Added the ability to create pre-registration codes via the wClient API.
• Fix an issue where a null group name is converted to a string literal "null".
• Allow overriding an existing pre-registration.
• Fix a typo where missing quotes broke the jsp
• Update example.jsp documentation
• Fix an issue where a null values were converted to a string literal "null".
• Throw an IllegalArgumentException if you try to set the userid to null
• Make radius return non-string attribute values when appropriate.
• Added a service script in /etc/WiKID/conf/templates
• query they database to retrieve a full list of users for audit purposes
• Fixed issue causing server to freeze occasionally, especially under replication
• Fixed issue causing bad password attempts to not be counted properly
• Add an API call to delete a device by ID
• Added Reports

3.4.87-b839

• Disable domain caching
• correct oss/enterprise bracketing
• Added the ability to create pre-registration codes via the wClient API (see example.jsp)

3.4.87-b824

• Example 2-Factor app using wClient
• fix lingering old ldap ports
• New home for ruby client
• Comment out dedicated domain code
• make sure root owns the files
• SRVTHREE-2 - Multiple pre-registration for a single token
• Allow the same username across pre-registration domains and add domain column to display
• Domains can be limited to locked, wireless or locked & wireless software tokens
• Fix android wireless detection bug.

• Fix a bug that equated the selection of wireless tokens to locked tokens.

3.4.85-b780

• Fix broken Unicode in portuguese brazilian translation
• make path to dpkg explicit
• fix typo in build script
• added %dir to /bin of the spec file for usogres inclusion
• Update radserver jar (Fixes slow radius start bug)
• Update build file to add wClient jar
• Example for using wClient

3.4.81-b676

• Fixes for AD self-registration scripts.
• Removed $JAVA_HOME/bin/ from the keytool command for openjdk compatibility
• Fix missing imports statements
• Automatically delete registration codes when deleting the associated domain. - Fixes "unable to delete domain bug".
• Catch integrity violation in dbmigrate11 that was preventing subsequent DB updates.
• Added the ability to create pre-registration codes via the wClient API.