2.3 Changelogs

v2.3.6

Released: 2025-07-09

All services

Security Fixes

CRITICAL: Removed ingress layer vulnerability that could allow unauthorized access to administrative functions, metrics endpoints, and cluster secrets. This addresses CVE-2021-25742. All users should upgrade immediately.

Updates

Each ESS service makes endpoints available for metrics and health. These endpoints are now available on port 9000 within the cluster. A metrics collector that consumes the prometheus.io metadata annotations will discover the new endpoints automatically. Metrics collectors that are manually configured will need to be adjusted to use the new port. Port 9000 is not accessible from outside the cluster.

v2.3.5

Released: 2025-06-26

All services

Updates

Encryption for messaging was enhanced with an update to the key derivation algorithms. Existing messages remain fully accessible during a migration of the encryption standard.

v2.3.4

Released: 2025-04-28

All services

Internal

• Upgraded the ESS base JVM image to UBI 9.

Deployment

Internal

• Removed resource constraints from the Keycloak Kubernetes deployment base to improve service stability for Standalone deployments. Additionally, exposed the health endpoint port (9000) from the Kubernetes service.

Solid OIDC Broker

Additions

• Added an allow list to the OpenID configuration that identifies trusted clients that will bypass the approval page.

Removals

• Responses will no longer serialize null fields in JSON.

v2.3.3

Released: 2025-03-24

Solid OIDC Broker

Updates

• Hardens the service against malformed ID tokens. If a token including a null claim is received, that claim is now filtered out of the claim set before processing. Prior to this patch, the service would throw an exception upon processing certain non-spec compliant values present in the token, in particular if the date was formatted as ISO 8601 instead of the expected timestamp (which is a behavior observed when using Auth0).

v2.3.2

Released: 2025-01-14

Access Grants

Updates

• Makes the Access Grant derive backwards compatible. By default, it will only list access credentials issued with the https://schema.inrupt.com/credentials/v1.jsonld JSON-LD context. For the list to include credentials with the https://schema.inrupt.com/credentials/v2.jsonld context, the client needs to specify this in the request to the derive endpoint.

v2.3.1

Released: 2025-01-10

Access Grants

Updates

• Makes the Access Grant issuer backwards compatible. By default, it will issue access credentials with the https://schema.inrupt.com/credentials/v1.jsonld JSON-LD context. To issue a credential with the https://schema.inrupt.com/credentials/v2.jsonld context, the client needs to specify this in the request to the issue endpoint.

v2.3.0

Released: 2024-12-12

Access Grants

Updates

• Validation of UMA tokens has been improved for more security.

• Improved error message in response when a client attempts to use a JSON_LD context that is blocked by the allow/deny list configuration on the Access Grant service.

• Supports RFC 9457 in all error responses. This is a breaking change for clients that parse ESS error responses, and they will need to be updated to use the new format. See Error Response documentation for more details.

• New limit has been put on the maximum number of Client Credentials that can be created for a user in the OpenID service. The default number allowed is 10 which can be configured via: INRUPT_OPENID_CATALOG_MAX_APP_COUNT.

• When you issue an Access Request it will now use the https://schema.inrupt.com/credentials/v2.jsonld JSON-LD context.

Bugs fixed

• Ensure that all database resources are explicitly closed.

• When sending a verifiable credential without subject or type to the /verify endpoint of the Access Grant service, a proper verification response with status 200 will now be returned instead of the previously returned error response with status 500.

• When a malformed request is sent to the /issue endpoint, the resulting log message from the JSON-LD parsing library is now at DEBUG level instead of WARN.

Additions

• Purging an agent’s data from the Access Grant service is now supported.

• The Access Grant service’s discovery document indicates to clients where a query endpoint can be found.

• The new /query endpoint deprecates the /derive endpoint, providing more flexible and performant query capabilities. See Access Grant - /query Endpoint documentation for details.

QPF

Updates

• Validation of UMA tokens has been improved for more security.

• Supports RFC 9457 in all error responses. This is a breaking change for clients that parse ESS error responses, and they will need to be updated to use the new format. See Error Response documentation for more details.

Bugs fixed

• Ensure that all database resources are explicitly closed.

• To mitigate against Clickjacking, responses that produce HTML will now include a Content-Security-Policy set to frame-ancestors: 'none' to instruct the Browser not to render this page in an iframe.

• The Query service has been updated to handle claims in the JWT access token that have an invalid format and will now respond with a 401 error response.

Additions

• Purging an agent’s data from the Fragments Query service is now supported.

• The Query service has been updated to support HEAD requests in an UMA authorization flow.

Storage

Updates

• Validation of UMA tokens has been improved for more security.

• Supports RFC 9457 in all error responses. This is a breaking change for clients that parse ESS error responses, and they will need to be updated to use the new format. See Error Response documentation for more details.

Bugs fixed

• Ensure that all database resources are explicitly closed.

Additions

• Purging an agent’s data from the Storage service is now supported.

Audit

Bugs fixed

• Ensure that all database resources are explicitly closed.

Removals

• Removed rsyslog base. Refer to your company’s policies regarding syslog configuration preferences and practices. In addition, the default value for INRUPT_AUDIT_SYSLOG_PROTOCOL has changed from TCP to SSL_TCP.

Updates

• Audit messages now consistently include the value ‘Application-Defined Request Metadata’ instead of ‘Application Defined Request Metadata’.

Authorization

Bugs fixed

• Ensure that all database resources are explicitly closed.

Updates

• Supports RFC 9457 in all error responses. This is a breaking change for clients that parse ESS error responses, and they will need to be updated to use the new format. See Error Response documentation for more details.

• Changed an invalid URI log message that was previously set at ERROR level to now be at DEBUG.

Additions

• Purging an agent’s data from the Authorization service is now supported.

OpenID

Bugs fixed

• Ensure that all database resources are explicitly closed.

• To mitigate against Clickjacking, responses that produce HTML will now include a Content-Security-Policy set to frame-ancestors: 'none' to instruct the Browser not to render this page in an iframe.

• Removed message from application registration page which suggested none were registered even when there were some.

Removals

• References to PodBrowser have been removed from the OpenID home page and Start (onboarding) application.

Additions

• Purging an agent’s data from the Openid service is now supported.

• Additional fields have been added to error responses. As they are only additions this is not considered a breaking change, but if a client parses the error responses it is advised that they are checked against the new format. See Error Response documentation for more details.

Updates

• Improved validation of client-supplied HTTP request bodies at the registration endpoint.

UMA

Bugs fixed

• Ensure that all database resources are explicitly closed.

Updates

• Additional fields have been added to error responses. As they are only additions this is not considered a breaking change, but if a client parses the error responses it is advised that they are checked against the new format. See Error Response documentation for more details.

WebID

Bugs fixed

• Ensure that all database resources are explicitly closed.

• Remediate a potential cross-site scripting error in the WebID editor.

Updates

• Supports RFC 9457 in all error responses. This is a breaking change for clients that parse ESS error responses, and they will need to be updated to use the new format. See Error Response documentation for more details.

• The provision endpoint performs additional validation on client-supplied URIs.

Additions

• Purging an agent’s data from the WebID service is now supported.

Notifications

Updates

• Supports RFC 9457 in all error responses. This is a breaking change for clients that parse ESS error responses, and they will need to be updated to use the new format. See Error Response documentation for more details.

Start

Updates

• Supports RFC 9457 in all error responses. This is a breaking change for clients that parse ESS error responses, and they will need to be updated to use the new format. See Error Response documentation for more details.

Bugs fixed

• To mitigate against Clickjacking, responses that produce HTML will now include a Content-Security-Policy set to frame-ancestors: 'none' to instruct the Browser not to render this page in an iframe.

Removals

• References to PodBrowser have been removed from the OpenID home page and Start (onboarding) application.

Deployment

Removals

• Support for configuring an ESS installation via environment variables has been removed. Configuration via inputs remains the supported approach.

• The descheduler has been removed from ESS deployment bases. Customers should access it directly from the descheduler project.

• Support for old Kafka messages encrypted with the AES/CBC/PKCS5Padding cipher, which was replaced and deprecated since 2.2 has now been removed.

Bugs fixed

• The ess-verifiable-credentials deployment was not using the correct service certificate for inter-service communication.

Updates

• Set securityContext.runAsNonRoot to true on all ESS services (Deployment, CronJobs and Jobs) in deployment definitions to prevent the containers starting as the root user.

• Set securityContext.runAsNonRoot to true on all non-ESS services (Deployment, CronJobs and Jobs) in deployment definitions to prevent the containers starting as the root user. In the ESS Standalone overlay, Postgres and Minio containers have been changed to run as non root users.

• The applications that comprise the Enterprise Solid Server run on Java 21.

• In the standalone deployment, third-party dependencies have been upgraded. Kafka to 3.8, Keycloak to 26, and PostgreSQL to 17. Note that the PostgreSQL instances will not auto-upgrade to the new version so you must either upgrade your instances following the PostgreSQL guidance or remove your existing databases and let the system create new ones.

Purger

Additions

• An operator now has the ability to purge all user’s personal data from ESS.