v3.11.1 ~ Birdie (ce)

Release date: March 3rd, 2023.

This is a small maintenance release addressing community reported issues related to the recently introduced Duo v4 support.

This release also includes a security fix for the browser extension to mitigate clickjacking attacks discovered during an independent security audit of the API and browser extension by Cure53. As always, detailed findings will be published on our dedicated incident page soon.

Thank you to the members of the community who’ve reported issues and helped us fix them.

API

Fixed

• PB-23283 As an administrator I can disable username validation in Duo Callback endpoints

Browser extension

Security

• PB-23328 PBL-08-001 WP2 Credentials Leakage via Clickjacking - As a signed-in user I should not be able to open the application iframe in an untrusted parent frame
• PB-23327 PBL-08-001 WP2 Credentials Leakage via Clickjacking - As a signed-in user I should not be able to open the quickaccess in an iframe