Hello everyone! Here are the release notes for the most recent updates we’ve made to Duo.
You can subscribe to notifications for new release notes by following the process described here. If you have any questions about these changes, please comment below.
New and updated applications
- CentOS 5 support is deprecated and will be removed in the next release.
- Added support for TLS 1.2.
- Added support for LibreSSL 2.7.0 and up.
- A new package for Ubuntu 18.04 (Bionic Beaver) has been added.
- Minor memory leak fixes.
- Now outputs a message during authentication when a user is locked out.
- Note that releases between 1.10.1. and 1.10.4 contained no code changes.
- The key we use to sign our RPM packages expires September 4. Our newest packages have been signed with a key that extended the expiration date, however in order to take advantage customers will need to import the updated public key with the new expiration into their package management systems. Please see the documentation for more information. You may also want to reference this article in the Knowledge Base and the steps for importing the RPM key.
New features, enhancements, and other improvements
Duo Administrator passwords now validated for domain-specific strings
- Enhanced the security requirements for Duo administrator passwords. Passwords cannot include terms from an administrators name, email address, company name, nor the words “Duo” or “Security”.
Improved Android Trusted Mobile Endpoints workflow
- We have taken new measures to further secure the Trusted Endpoints mobile workflow on Android by no longer using an always-running clipboard service for users authenticating via a WebView (from another app, like Namely). In exchange for better security, users will have to open the Duo Mobile app to start the call out to Duo to see if a device is managed. Then, If the check is successful, Duo Mobile will tell the user to switch back to the calling app.
- The regular use case whereby users are authenticating from a mobile browser (to something like the DAG) will not be altered to tell the user to switch apps. That will continue to function as it does currently.
Synchronized users’ status can now be changed in bulk
- Users synchronized to Duo from an external directory can now have their status changed between “Active” and “Bypass” in bulk actions.
- Synchronized users’ status cannot be changed to “Disabled”.