Release 1.2.0

pitbulk · pitbulk · commit af7378487b9d · 2016-10-14T16:55:18.000+02:00
diff --git a/README.md b/README.md
@@ -12,6 +12,16 @@ and supported by OneLogin Inc.
 
 This version supports Python3, There is a separate version that only support Python2: [python-saml](https://pypi.python.org/pypi/python-saml) 
 
+#### Warning ####
+
+Update python3-saml to 1.2.0, this version includes a security patch that contains extra validations that will prevent signature wrapping attacks.
+
+python3-saml < v1.2.0 is vulnerable and allows signature wrapping!
+
+#### Security Guidelines ####
+
+If you believe you have discovered a security vulnerability in this toolkit, please report it at https://www.onelogin.com/security with a description. We follow responsible disclosure guidelines, and will work with you to quickly find a resolution.
+
 Why add SAML support to my software?
 ------------------------------------
 
@@ -100,11 +110,6 @@ Security warning
 In production, the **strict** parameter MUST be set as **"true"**. Otherwise
 your environment is not secure and will be exposed to attacks.
 
-Security Guidelines
--------------------
-
-If you believe you have discovered a security vulnerability in this toolkit, please report it at https://www.onelogin.com/security with a description. We follow responsible disclosure guidelines, and will work with you to quickly find a resolution.
-
 Getting started
 ---------------
 
diff --git a/changelog.md b/changelog.md
@@ -1,5 +1,20 @@
 # python3-saml changelog
 
+### 1.2.0 (October 14, 2016)
+* Several security improvements:
+  * Conditions element required and unique.
+  * AuthnStatement element required and unique.
+  * SPNameQualifier must math the SP EntityID
+  * Reject saml:Attribute element with same “Name” attribute
+  * Reject empty nameID
+  * Require Issuer element. (Must match IdP EntityID).
+  * Destination value can't be blank (if present must match ACS URL).
+  * Check that the EncryptedAssertion element only contains 1 Assertion element.
+* Improve Signature validation process
+* Document the wantAssertionsEncrypted parameter
+* Support multiple attributeValues on RequestedAttribute
+* Fix AttributeConsumingService
+
 ### 1.1.4 (Jun 27, 2016)
 * Change the decrypt assertion process.
 * Add 2 extra validations to prevent Signature wrapping attacks.
diff --git a/setup.py b/setup.py
@@ -9,7 +9,7 @@
 
 setup(
     name='python3-saml',
-    version='1.1.4',
+    version='1.2.0',
     description='Onelogin Python Toolkit. Add SAML support to your Python software using this library',
     classifiers=[
         'Development Status :: 4 - Beta',
