...
- Security: cross-site scripting (XSS) fixes — Some cross-site scripting issues were fixed in various parts of the application. These could only be exploited by administrative staff (e.g., timetablers or application administrators) and are therefore classified as low risk.
- Security: anti clickjacking headers added — X-Frame-Options and Content-Security-Policy headers were added to the application, to prevent clickjacking attacks.
- Security: SAML SHA2 support — The SAML authentication provider now supports SHA-256, SHA-384 and SHA-512 signatures. More information about the configuration can be found on the /wiki/spaces/MYTT/pages/3099656239 page.
- Google Calendar push synchronisation fixes — Some issues where user-modified events stopped updating were fixed in the Google Calendar sync.
- Unique API token identification — A unique identifier was added to API tokens and the logging, to better allow identification of API users with duplicate names.
- Version number removed — The MyTimetable version number was removed from publicely available pages, as it is not very useful to the end user and allows an attacker to more easily identify the version of the software in use.
- Various dependencies were updated:
- Spring (4.3.1617)
- Spring Integration (4.3.1516)
- Spring Security (4.2.56)
- Spring Security SAML (1.0.4)
- Jackson (2.9.4)
- Gradle (4.6)
- OpenCSV (4.1)
- GWT (2.8.2)
...