Skip to main content
Version: 8.2511.x.x RR

2025-Q4: RR Upgrade (November 2025)

Major version

Version: 8.2511

Lifecycle dates

Minor VersionGeneral AvailabilityEnd of Full SupportEnd of Fade-Out Support
8.2511.3.0Feb 26, 2026May 19, 2026Dez 15, 2026
8.2511.2.0Feb 05, 2026May 19, 2026Dez 15, 2026
8.2511.1.0Dec 11, 2025May 19, 2026Dez 15, 2026
8.2511.0.0Nov 26, 2025May 19, 2026Dez 15, 2026

Breaking changes and required actions

The following components have breaking changes compared to the previous release, or require specific actions. For more information, see the Release Notes of each listed component.

Patterns: Database patterns now use TLS by default which can lead to issues. Patterns: Usage of ${var.<name>} expression can lead to errors in the project. Upgrade to 8.2511.1 or ensure the referenced variables exist in the project. Patterns: The patterns now always generate NevisIngress scoped to the Virtual Host patterns of your project. Manual cleanup of the previous NevisIngress and Ingress resources may be required in case there is an error during deployment about a failing admission webhook.

Components Changelog

nevisAdmin

nevisAdmin 8.2511.3 Release Notes - 2026-02-26

Release information

  • RPM: nevisadmin4-8.2511.3.1-1.noarch.rpm
  • GUI Version: FE 8.2511.1-1546 - BE 8.2511.3.1

Upgrade instructions and breaking changes

Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.

Main improvement

Notable changes and bug fixes

  • CHANGED: The Patterns were upgraded to version 8.2511.3.4.

nevisadmin4 chart 8.2511.3 - 26.02.2026

  • NEW: We added support for Gateway API as the new external traffic routing solution.
  • CHANGED: We updated the used nevisAdmin4 version to the 8.2511.3 release.
  • CHANGED: Set the default value for nevisOperator.image.tag=8.2511.2.
  • FIXED: We fixed a bug where nevisAdmin4 could not start up when a keystore named other than keystore.p12 was used.

nevisadmin4-crd chart 8.2511.3 - 26.02.2026

  • NEW: Add NevisGateway CRD. (IP-1263)

nevisAdmin 8.2511.2 Release Notes - 2026-02-05

Release information

  • RPM: nevisadmin4-8.2511.2.5-1.noarch.rpm
  • GUI Version: FE 8.2511.1-1546 - BE 8.2511.2.5

Upgrade instructions and breaking changes

Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.

Main improvement

NEW: Added support for configuring tolerations in inventory settings using kubernetes.tolerations for services and kubernetes.database.tolerations for database migration jobs. (IP-1429)

Notable changes and bug fixes

  • CHANGED: The Patterns were upgraded to version 8.2511.2.8.
  • CHANGED: Added warning logs about potential data loss for the /projects/<projectKey>/revision-update and /inventories/<inventoryKey>/revision-update REST APIs when they are called with the sequential=true parameter. A linear Git history is required to use this option. (NEVISADMV4-10667)

nevisadmin4 chart 8.2511.2 - 05.02.2026

  • CHANGED: We updated the used nevisAdmin4 version to the 8.2511.2 release.
  • CHANGED: Set the default value for nevisOperator.image.tag=8.2511.1.

nevisadmin4-crd chart 8.2511.2 - 05.02.2026

  • NEW: Add tolerations to NevisComponent and NevisDatabase. (IP-1429)

nevisAdmin 8.2511.1 Release Notes - 2025-12-11

Release information

  • RPM: nevisadmin4-8.2511.1.1-1.noarch.rpm
  • GUI Version: FE 8.2511.0-1535 - BE 8.2511.1.1

Upgrade instructions and breaking changes

Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.

Notable changes and bug fixes

  • CHANGED: The Patterns were upgraded to version 8.2511.1.3.

nevisadmin4 chart 8.2511.1 - 11.12.2025

  • CHANGED: We updated the used nevisAdmin4 version to the 8.2511.1 release.
  • CHANGED: Set the default value for nevisOperator.image.tag=8.2511.0.

nevisadmin4-crd chart 8.2511.1 - 11.12.2025

  • Technical rebuild to align the version numbers across all charts.

nevisAdmin 8.2511.0 Release Notes - 2025-11-26

Release information

  • RPM: nevisadmin4-8.2511.0.9-1.noarch.rpm
  • GUI Version: FE 8.2511.0-1535 - BE 8.2511.0.9

Upgrade instructions and breaking changes

Check the upgrade instructions for nevisAppliance, RPM, or Kubernetes usage.

  • REMOVED: The deprecated git.sshCredentialSecret and git.httpCredentialSecret parameters were removed from the nevisAdmin4 helm chart in favour of git.credentialSecret. (NEVISADMV4-10365)
  • REMOVED: The deprecated kubernetes.io/ingress.class annotation was removed from nevisadmin and operator-generated ingresses in favour of the IngressClass resource. (NEVISADMV4-10593, NOPE-10)
  • REMOVED: The optional Bitnami mariadb subchart was removed from the nevisAdmin4 helm chart. (NEVISADMV4-10625)
  • CHANGED: We updated the default Authentication flow max size (nevisadmin.view.max-size=5000) and max depth (nevisadmin.view.max-depth=200). If you encounter performance issues, consider lowering these values. (NEVISADMV4-10534)

Main improvement

  • NEW: Added a copy to clipboard icon to input fields and text areas in patterns. (NEVISADMV4-10547).
  • NEW: Added support for controller-default or prepared certificates for nevisadmin ingress.(NEVISADMV4-10582)
  • NEW: You can now add a git tag to the commit that is created when publishing an inventory, both on the GUI in the publishing dialog, and also using the REST API. (PRODROAD-723)
  • NEW: The project and inventory settings page now displays the git tags of the current commit. (PRODROAD-723)
  • NEW: nevisAdmin can now show a shield icon for settings in patterns where the use of secrets (nevisAdmin and Kubernetes) is possible. We will gradually mark more settings with this icon. If the icon is not shown yet, that doesn’t mean that secrets cannot be used. It just means we haven’t tested the use of secrets there. (NEVISADMV4-10616)
  • NEW: You can now specify git credentials when connecting a project or inventory to git, and when importing a project or inventory from git. These credentials will then be saved to the project or inventory. Subsequent git operations, such as updating from git, or publishing, will use those credentials, instead of the ones set in the git.tls.* properties. (NEVISADMV4-10543)
  • NEW: nevisOperator is now able to read git known hosts from the credentialsSecret specified in the gitCredentials custom resource, addressing an issue in GitOps where the gitCredentials ends up having an empty value for knownHosts in its spec. (NEVISADMV4-10622)
  • NEW: Implement new REST API to list inventory revisions: GET /inventories/{inventoryKey}/revisions{?size}. (NEVISADMV4-10635)
  • NEW: The project revert dialog now displays tags on commits that have them. (NEVISADMV4-10638)

Notable changes and bug fixes

  • CHANGED: The logging in the Nevis Operator component has been improved by disabling the Development mode of the underlying log framework. This changes the log format to JSON and the log threshold to the INFO level. Also, several log messages were rephrased. Further changes are expected in this area to improve the log messages that this component produces, so that operations can fully understand the operations performed by this component (NOPE-16).
  • CHANGED: The Override default value button displayed for key-value style configuration is patterns now applies the default before switching into edit mode (NEVISADMV4-10547).
  • CHANGED: The deployment in progress indicator now checks for deployments from the past hour. Previously, it checked the last two hours. (NEVISADMV4-10544)
  • CHANGED: The revision APIs now include a tags field that lists related Git tags. (NEVISADMV4-10627)
    • GET /projects/{projectKey}/revisions{?size}
    • GET /projects/{projectKey}/revisions/{commitId}
    • GET /inventories/{inventoryKey}/revisions/{commitId}
  • CHANGED: nevisOperator can now be disabled in the nevisAdmin4 helm chart, making it possible to install it in a separate namespace. (NEVISADMV4-10651)
  • FIXED: Resolved an issue where nevisOperator.tolerations, nevisOperator.affinity and nevisOperator.nodeSelector would get the same helm values as nevisAdmin4. (NEVISADMV4-10655)

Dependency upgrades

  • jackson 2.19.2 (NEVISADMV4-10559)
  • jgit 6.10.1.202505221210-r (NEVISADMV4-10559)
  • jsch 2.27.3 (NEVISADMV4-10559)
  • jetty 12.0.27 (NEVISADMV4-10559)
  • groovy 4.0.28 (NEVISADMV4-10559)
  • snakeyaml 2.5 (NEVISADMV4-10559)
  • aspectj 1.9.24 (NEVISADMV4-10559)
  • jakarta-activation-api 2.1.4 (NEVISADMV4-10559)
  • jakarta-xml-bind-api 4.0.4 (NEVISADMV4-10559)
  • jaxb 4.0.6 (NEVISADMV4-10559)
  • logback-classic 1.5.19 (NEVISADMV4-10559)
  • guava 33.5.0-jre (NEVISADMV4-10559)
  • commonmark 0.26.0 (NEVISADMV4-10559)
  • spring-boot 3.3.13 (NEVISADMV4-10559)
  • mariadb-java-client 3.5.6 (NEVISADMV4-10559)
  • postgres 42.7.8 (NEVISADMV4-10559)
  • shiro 2.0.5 (NEVISADMV4-10559)
  • nimbus-jose-jwt 10.5 (NEVISADMV4-10559)
  • bcprov-jdk18on 1.82 (NEVISADMV4-10559)
  • bcpkix-jdk18on 1.82 (NEVISADMV4-10559)
  • bcpg-jdk18on 1.82 (NEVISADMV4-10559)
  • bcutil-jdk18on 1.82 (NEVISADMV4-10559)

nevisadmin4 chart 8.2511.0 - 26.11.2025

  • BREAKING CHANGE: We removed the deprecated git.sshCredentialSecret and git.httpCredentialSecret parameters in favour of git.credentialSecret.
  • BREAKING CHANGE: We removed the optional MariaDB subchart due to Bitnami changes.
  • NEW: We added support for installing nevisAdmin4 and nevisOperator separately, including the creation of a role and a rolebinding to set up admin access to the operator.
  • CHANGED: NevisAdmin and NevisOperator ingress improvements:
    • Removed deprecated kubernetes.io/ingress.class annotation.
    • Introduced support for self-managed and controller default certificates in NevisAdmin.
    • Decoupled ingress class setting from nginx release.
  • CHANGED: We updated the used Nevis component versions to the 8.2511.0 release.
  • FIXED: We fixed a bug where nevisOperator would get it's tolerations, affinity and node selector from the corresponding nevisAdmin values.
  • FIXED: We fixed typo related to passphrase of key store and trust store secrets.

nevisadmin4-crd chart 8.2511.0 - 26.11.2025

  • NEW: Add ExtraCertSecrets for NevisTrustStore. (IP-1172)
  • NEW: Extend nevisDatabase Custom Resource Definition with custom labels to add to the resources.
  • CHANGED: Rebuild the Custom Resource Definitions using kubebuilder v0.18.0. (NOPE-12)

Patterns

Patterns 8.2511.3 Release Notes - 2026-02-26

Release information

  • Build Version: 8.2511.3.4

Changes

⚠️ The image versions encoded in the patterns have been increased for Nevis components. The version number is shown in the deployment preview in the NevisComponent and NevisDatabase resources.

You have to download the latest images and ensure that they are available in the container registry of your Kubernetes cluster. Alternatively, you can use an older version by declaring versions in the inventory.

Kubernetes Deployment

  • PAT-1024: Support for defining Kubernetes tolerations in the inventory on the service level.
  • This release introduces support for using Gateway API with Envoy to replace NGINX Ingress.
    • To migrate to Gateway API, read the instructions found in the nevisAdmin 4 release notes.
    • Choose the controller type to generate for by setting 1 of the following boolean inventory variables:
      • __nevisadmin_ingress_enabled
      • __nevisadmin_gateway_api_enabled
    • The Virtual Host pattern contains basic settings and a drop-down to enable the generation of a NevisGateway resource for this host.
      • The default is disabled to not produce a breaking change. In this release, you have to opt in to use Gateway API.
    • Additional configuration can be applied by using the Gateway API Settings pattern. This includes:
      • PAT-1034: Settings to configure how the source IP is determined by Envoy (found in IP Detection tab).
      • PAT-1041: Setting TLS Secrets to use own TLS certificates.
      • PAT-1040: Setting to enforce mTLS for inbound connections.
      • PAT-1031: Settings for Rate Limiting.

Application Protection

  • PAT-1033: Added a check for duplicated ModSecurity rule IDs to relevant patterns.

Mobile Authentication

  • PAT-858: Fixed Push Message Timeout setting in the nevisFIDO UAF Instance pattern.
    • The setting has generated a wrong property message-ttl which was ignored by nevisFIDO. The component needs push-message-ttl instead.
  • PAT-1035: Prevent issue with generated Kubernetes secrets when using the default name for Usernameless Out-of-band Mobile Authentication pattern.
    • This fix only helps when the pattern name is less than 40 characters. Please ensure you do not exceed this limit. In general, we recommend having a naming convention that uses short names.

Adaptive Authentication

  • IP-1631: Fixes related to device cookie and device fingerprinting for nevisAdapt.

Patterns 8.2511.2 Release Notes - 2026-02-05

Release information

  • Build Version: 8.2511.2.8

Changes

⚠️ The image versions encoded in the patterns have been increased for Nevis components. The version number is shown in the deployment preview in the NevisComponent and NevisDatabase resources.

You have to download the latest images and ensure that they are available in the container registry of your Kubernetes cluster. Alternatively, you can use an older version by declaring versions in the inventory.

General

  • PAT-1024: Support configuration of tolerations for services (NevisComponent CR) and their database management jobs (NevisDatabase CR) in the inventory.
  • PAT-1009: Ensure usage of ${var. expressions produces no error during background validation.

Application Protection

  • ⚠️ PAT-1030: Added Modsecurity Core Rule Set 4.22.0 and 3.3.8 and removed the older versions due to found vulnerabilities.
    • We recommend to use 4.22.0. However, these are new rules and thus you have to test your applications.
    • We recommend not downgrading, but if you really have to opt out of this change, then you can proceed as follows:
      • Select a previous pattern version for your project.
      • Download the ModSecurity Rule Set in the Virtual Host pattern.
      • Select the new pattern version again and upload the previously downloaded rule set.
  • PAT-1021: Added https support for nevisProxy Observability Settings pattern.
  • ⚠️ PAT-1013: New setting SSL VHost SNI Policy in the nevisProxy Instance pattern to configure the Apache SSLVHostSNIPolicy.
    • The default configuration should work for most setups, but we suggest to review this setting carefully as it is security relevant.
    • ⚠️ Because of this change, you must use nevisProxy version 8.2511.1.2 or newer.
  • NEVISPROXY-7762: The Request Validation Settings (ModSecurity) pattern now supports comments in configured rules.
    • Each comment line has to start with #.
  • NEVISPROXY-7750: Improved the exclude-url-regex generation for directory paths.
    • URL paths that start with the excluded directory’s name are no longer excluded.

Authentication

  • PAT-1010: Support new attribute backendValidation for GuiElem and GuiGroup elements in nevisAuth.

Identity Management

  • PAT-1027: Support for setting user properties in nevisIDM User Create pattern.

Adaptive Authentication

  • NEVISDETECT-2149: fix authstate observation collection and validation for disabled modules.

Patterns 8.2511.1 Release Notes - 2025-12-11

Release information

  • Build Version: 8.2511.1.3

Changes

General

  • PAT-1009: Ensure usage of ${var.<name>} expressions produces no error during background validation when the variable does not exist in the project.
  • ⚠️ PAT-1006: Changed default of TLS Encryption to trust for all database patterns.
    • Double check that the configuration is as required to connect to your database.

Authentication

  • PAT-1010: Support new attribute backendValidation for GuiElem and GuiGroup elements in nevisAuth.

Patterns 8.2511.0 Release Notes - 2025-11-26

Release information

  • Build Version: 8.2511.0.9

Known Issues

The following issues are known and will be addressed in the December patch release (planned for December 11).

Default for TLS Encryption in Database Patterns

So far the default value for TLS Encryption in database patterns is plain.
This causes errors when connecting to Azure PostgreSQL, as that service enforces TLS by default.
You are affected if you see log messages like no pg_hba.conf entry for host.

Fix in upcoming patch:
trust will become the new default value.

Workarounds until patch is available:
Enable TLS by setting the TLS Encryption drop-down to a TLS-enabled option such as trust.

Errors with Variable Expressions in Patterns

Using ${var.<name>} placeholders in patterns currently results in errors if the variable is not defined in the project.
These errors do not affect deployment, because the values from the inventory are used during deployment.

Fix in upcoming patch:
Background validation will be relaxed so that missing variables no longer cause errors.

Workarounds until patch is available:

As variables cannot be created on the project variables screen, you have 2 options:

  1. Create the variable indirectly by temporarily using another setting that generates it.
  2. Export the project as zip or push to Git, add the variable manually to variables.yml and import / pull the project into nevisAdmin again.
New GuiElem Attribute backgroundValidation

nevisAuth has introduced a new attribute for GuiElem called backgroundValidation.
The Generic Authentication Step pattern does not yet support configuring backgroundValidation.

Fix in upcoming patch:
The Generic Authentication Step will be updated to support configuration of this attribute.

Workarounds until patch is available:
There are no easy workarounds.
You would have to find an alternative way to perform validation,
which would involve structural changes (e.g., replacement of the AuthState or using resumeState="false" with an additional AuthState in front).
We do not recommend this, as it increases complexity.

Changes

⚠️ The image versions encoded in the patterns have been increased for all Nevis components. The version number is shown in the deployment preview in the NevisComponent and NevisDatabase resources.

You have to download the latest images and ensure that they are available in the container registry of your Kubernetes cluster. Alternatively, you can use an older version by declaring versions in the inventory.

  • PAT-909: New Connection Pool settings in Database patterns
    • ⚠️ The nevisAdapt Database and nevisDetect Database patterns have a breaking change as a drop-down had to be removed. If you have selected any option, clear it and configure the settings in the Connection Pool tab instead.

Application Protection

  • PAT-959: New experimental Geolocation Service pattern
  • PAT-959: New setting Source IP Header in the Virtual Host pattern
    • We recommend configuring this setting in setups where requests are terminated in front of nevisProxy (e.g., in Kubernetes).
  • PAT-980: Fixed an issue that caused the NevisIngress to be generated without TLS if Ingress/Host is set for Virtual Host.
  • PAT-938: Support disabling Ingress generation per Virtual Host.
  • PAT-937: Support multiple Virtual Host patterns to be assigned where possible.
    • In some patterns only a single Virtual Host can be assigned, and thus you have to duplicate the pattern where the Virtual Host is assigned.
  • PAT-883: Securosys configuration files can now be provided using a Kubernetes secret.
  • PAT-931: Added support for openssl provider lib in Securosys using RFC7512 compliant PKCS11 URLs.
  • PAT-971: The ExporterAddress for tracing in the OpenTelemetry pattern for nevisProxy is now optional.

Authentication

  • PAT-999: Fixed the User Input (single field) pattern
  • ⚠️ PAT-999: Removed the Remember Input feature from all patterns as this feature has caused significant effort and does not work in some scenarios.
    • This change was announced in pattern release 8.2505.3.
    • If your pattern configuration has this feature enabled, there will now be an error. You have to manually clear the configuration from affected patterns.
  • PAT-984: Added missing protocol in Sendgrid SMTP pattern.
  • PAT-978: Added validation logic for SendMail AuthState.
  • PAT-966: Fixed a bug that prevented the configuration of a SecurityTokenService using Generic nevisAuth Web Service pattern.
  • IP-1179: Added additional settings to the Authentication Realm to customize the modern Login Template.
  • PAT-962: Ensure Audit Log and Event Log are disabled by default
  • PAT-949: Support unlock in Authentication Realm
  • PAT-949: New setting in nevisLogrend Instance to add / overwrite / remove init-param elements for LoginRendererServlet.

Federation

  • PAT-996: Ensure valid-authorization-request-authentication-required is generated by default for the AuthorizationServer.
    • This change ensures that Force Reauthentication (a setting in nevisMeta) works out of the box.
  • ⚠️ NEVISADMV4-10642: Refactored drop-downs in SAML IDP Connector and SAML SP Connector patterns
    • Removed the requirement to configure at least 1 option as the default value shall apply when no option is selected, and this requirement has led to false validation issues.
    • Removed the option AuthnRequest from the following drop-downs as this option never made sense:
      • SAML IDP Connector / Signature Validation - reason: the SP never receives these elements.
      • SAML SP Connector / Signed Element - reason: the IDP never produces these elements.
  • PAT-781: Fixed attributes extraction with : in SAML IDP Connector.
  • PAT-906: Experimental settings for dynamic selection based on OAuth client:
    • nevisIDM User Lookup pattern: Select profile for client-specific unit
    • Authentication Realm pattern: Select nevisLogrend application
  • PAT-887: Fixes related to OAuth 2.0 Authorization Server / OpenID Connect Provider User Info Endpoint

Identity Management

  • PAT-998: Improved the nevisIDM Terms & Conditions Acceptance pattern so that the applicable terms and conditions can be determined even when there is no user DTO in the session.
  • N/A: Raised minimum version for nevisIDM in classic deployment to 8.2505.5.4
    • Reason: the nevisIDM Second Factor Selection pattern calls an API (timezone) that was introduced in that version.
    • These minimum version checks are conservative. We recommend using at least version 8.2511.0 to ensure you are using a tested and supported combination.
  • PAT-969: Fix a bug in that prevented the use of expressions ending with the String Endpoint in the nevisDataPorter Instance pattern.
  • IP-1061: Fix for missing credentials in userDto.
  • PAT-527: Prevent unexpected changes caused by nevisIDM Authorizations pattern.
  • PAT-990: Fixed issue with nevisIDM Terms & Conditions Acceptance pattern where language keys were checked case-sensitive.

FIDO2 Passwordless

  • PAT-992: Fixes related to username in FIDO2 Authentication pattern.

Mobile Authentication

  • PAT-954: Support k8s-secret-file for FIDO policies.
  • PAT-932: New setting Gui Title for Out-of-band Mobile Onboarding.

Adaptive Authentication

  • PAT-977: Support patching nevisadapt.properties with Generic nevisAdapt Instance Settings.

nevisAdapt

nevisAdapt 8.2511.2.5 - 05.02.2026

Changes and new features

  • FIXED: analyzer input validation for disabled modules in nevisAdapt backend
  • FIXED: dependencies updated

nevisAdapt 8.2511.1.3 - 11.12.2025

Changes and new features

  • Fixed: disabling a module no longer expects its observations to be present in NevisAdaptAuthState

nevisAdapt 8.2511.0.6 - 26.11.2025

Changes and new features

  • FIXED: Dependencies updated
  • FIXED: Event-based authentication flow - untrained event handling

nevisAuth

nevisAuth 8.2511.3.1 - 26.02.2026

Breaking changes

Changes and new features

  • UPGRADED: We upgraded the Nevis client package versions in docker images. (NEVISAUTH-5324)

nevisAuth 8.2511.2.3 - 05.02.2026

Breaking changes

Changes and new features

  • FIXED: The ThrottleSessionState incorrectly counting the number of session in certain scenarios. The deadlock fix in May 2025 introduced a calculation error which this release addresses. Note that the ThrottleSessionState applies a graceful limiting logic, removing older sessions and allowing the current request to be processed. When parallel requests with matching throttling conditions arrive, this behaviour introduces a limitation: maxMatchingSessions is respected when all of them are finished and not one by one. Therefore, it is possible that sessions fulfilling the throttling conditions are not respecting maxMatchingSessions momentarily, making the ThrottleSessionState not suitable for strict rate-limiting requirements. (NEVISAUTH-5287)
  • UPGRADED: We upgraded the Log4j third-party dependencies to version 2.25.3. (NEVISAUTH-5293)

nevisAuth 8.2511.1.2 - 11.12.2025

Breaking changes

Changes and new features

  • FIXED: We fixed a form decryption error when deviating from the regular authentication flow causing a switch between encrypted and non encrypted forms. (NEVISAUTH-5261)

nevisAuth 8.2511.0.5 - 19.11.2025

Breaking changes

  • CHANGED: The validation attribute of the GuiElem / GuiGroup no longer evaluates Javascript validation on the backend side. Use the backendValidation attribute with EL expressions for backend side validation with more complex cases where format or length is not enough. (NEVISAUTH-5034)
  • CHANGED: Groovy scripts in the ScriptState are no longer automatically reloaded and recompiled (on change in the script file) at every request by default. Setting the new configuration option recompileOnChange to true allows you to use the previous default behaviour. (NEVISAUTH-5213)
  • FIXED: We fixed validation issues of Client Secret JWT authentication method in the Authorization Server. (NEVISAUTH-5160)

Changes and new features

  • NEW: New configuration properties for the SMTPClient: mail.smtps.tls.keyObjectRef and mail.smtps.tls.trustStoreRef allowing better configuration of TLS key material than the JVM arguments. (NEVISAUTH-4972)
  • NEW: Introduced caching option for JWKS endpoints and local files (default: on). (NEVISAUTH-4296)
  • NEW: New configuration option for OOCD and RemoteSessionStore: connectionMaxIdleTime allowing to configure how long idle conenctions should be kept in the pool. (NEVISAUTH-5151)
  • CHANGED: mail.smtps.ssl.protocols now defauls to TLSv1.2 TLSv1.3. (NEVISAUTH-4972)
  • CHANGED: The following jar files are revomed from the nevisauth.war file as they are already contained on the application classloader level in the rpm: commons-lang3, error_prone_annotations, failureaccess, guava, j2objc-annotations, jackson-annotations, jackson-core, jackson-databind, jspecify, listenablefuture-9999. Having these duplicated caused classloading errors in some cases. (NEVISAUTH-5147)
  • CHANGED: Liveness endpoint now validates the following: Jetty is in started state, LocalSessionStore is not full, RemoteSessionStore has a working connection (if configured), Remote OOCD has a working connection (if configured). (NEVISAUTH-5089)
  • CHANGED: The session object available in the ScriptState now automatically creates a session (in case it was not yet present) whenever an operation is executed on the session object which adds data. Note that conditional operations (for example: computeIfAbsent) will always result in a session to be created regardles what the condition is evaluated to. This new approach eliminates the need to use if (request.getSession(false) == null) { constructs to create a session if none exsists yet. Note that this does not apply to any operation called on request.getSession(false), only directly on the session object available in the ScriptState context. (NEVISAUTH-4951)
  • FIXED: nevisAuth now stops on startup when a critical configuration failure happens. In addition now the liveness endpoint will properly report DOWN when the server is already in a stopping state. (NEVISAUTH-5081)
  • FIXED: Fixed a deadlock in the ThrottleSessionsState when the same user tried to login concurrently in the exact same time. (NEVISAUTH-5084)
  • FIXED: Remote session store syncPullInitial="true" failing when session indexing was configured. (NEVISAUTH-5124)
  • FIXED: Double resolution of EL expressions on Gui labels parameters.(NEVISAUTH-5121)
  • FIXED: The HttpClient configuration httpclient.authorization.basic.username incorrectly created the base64 encoded Authorization header value without padding. Now padding is applied according to specification. (NEVISAUTH-5182)
  • FIXED: Added back the -Dch.nevis.auth.jwttoken.x5t.disabled=true configuration option to disable the automatic thumbprint header parameter generation for backends which cannot handle it properly. We recommend not to use this property, especially for long-term setups and rather invest in getting the affected backend to behave according to the JWT specifications.
  • FIXED: The jti (JWT ID) claim is no longer incorrectly manadatory in JWT Client Authentication requests for the token endpoint. (NEVISAUTH-5239)
  • UPGRADED: We upgraded the Apache Httpclient third-party dependency to version 5.5.1. (NEVISAUTH-5174)
  • UPGRADED: We upgraded the Bouncy Castle third-party dependencies to version 1.82. (NEVISAUTH-5174)
  • UPGRADED: We upgraded the Checker-qual third-party dependency to version 3.51.1. (NEVISAUTH-5174)
  • UPGRADED: We upgraded the Commons cli third-party dependency to version 1.10.0. (NEVISAUTH-5174)
  • UPGRADED: We upgraded the Commons codec third-party dependency to version 1.19.0. (NEVISAUTH-5174)
  • UPGRADED: We upgraded the Commons-lang3 third-party dependency to version 3.19.0. (NEVISAUTH-5157)
  • UPGRADED: We upgraded the Commons-text third-party dependency to version 1.14.0. (NEVISAUTH-5174)
  • UPGRADED: We upgraded the Groovy third-party dependencies to version 4.0.29. (NEVISAUTH-5174)
  • UPGRADED: We upgraded the Guava third-party dependencies to version 33.4.8-jre. (NEVISAUTH-5174)
  • UPGRADED: We upgraded the HikariCP third-party dependencies to version 7.0.2. (NEVISAUTH-5174)
  • UPGRADED: We upgraded the Jackson third-party dependencies to version 2.20.1. (NEVISAUTH-5174)
  • UPGRADED: We upgraded the Jakarta mail third-party dependencies to version 2.0.4. (NEVISAUTH-5174)
  • UPGRADED: We upgraded the Jaxb third-party dependencies to version 4.0.4. (NEVISAUTH-5258)
  • UPGRADED: We upgraded the Jaxrs third-party dependencies to version 3.11.1. (NEVISAUTH-5258)
  • UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.29. (NEVISAUTH-5174)
  • UPGRADED: We upgraded the Json smart third-party dependencies to version 2.6.0. (NEVISAUTH-5174)
  • UPGRADED: We upgraded the Ldap-unboudid third-party dependency to version 7.0.3. (NEVISAUTH-5174)
  • UPGRADED: We upgraded the Libphonenumber third-party dependency to version 9.0.17. (NEVISAUTH-5174)
  • UPGRADED: We upgraded the Log4j third-party dependencies to version 2.25.2. (NEVISAUTH-5174)
  • UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.5.6. (NEVISAUTH-5174)
  • UPGRADED: We upgraded the Moxy third-party dependency to version 4.0.8. (NEVISAUTH-5174)
  • UPGRADED: We upgraded the Nimbus oicd sdk third-party dependency to version 11.30. (NEVISAUTH-5174)
  • UPGRADED: We upgraded the Nimbus JWT third-party dependency to version 10.5. (NEVISAUTH-5174)
  • UPGRADED: We upgraded the OpenSaml third-party dependency to version to 5.1.4. (NEVISAUTH-5174)
  • UPGRADED: We upgraded the Opentelemetry api third-party dependency to version 1.55.0 (NEVISAUTH-5174)
  • UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.8. (NEVISAUTH-5117)
  • UPGRADED: We upgraded the XmlSec third-party dependency to version to 4.0.4. (NEVISAUTH-5174)
  • UPGRADED: We upgraded the Woodstox third-party dependency to version 7.1.1. (NEVISAUTH-5174)
  • DEPRECATED: The Captcha auth state has been deprecated and will be removed with the May 2026 rolling release. It will be replaced with more comprehensive bot protection in the Nevis products. (NEVISAUTH-5228)

nevisDataporter

nevisDataporter 8.2511.2.2 - 26.02.2025

Changes and new features

  • UPGRADED: We upgraded com.sun.mail:jakarta.mail. (NEVISDP-671)

nevisDataporter 8.2511.1.2 - 05.02.2025

Changes and new features

  • UPGRADED: We upgraded Java in docker image to OpenJDK "21.0.10" 2026-01-20 LTS.

nevisDataporter 8.2511.0.4 - 26.11.2025

Changes and new features

  • FIXED: Socket factory parameters corrected for STARTTLS to fix double session start. (NEVISDP-658)
  • UPGRADED: We upgraded depdency-check to 12.1.5. (NEVISDP-656)
  • UPGRADED: We upgraded HTTPClient to 5.5. (NEVISDP-593)
  • UPGRADED: We upgraded Hibernate to 7.0.3.Final. (NEVISDP-592)
  • UPGRADED: We upgraded Jakarta-Persistence API to 3.2. (NEVISDP-592)
  • UPGRADED: We upgraded PostgreSQL driver to 42.7.7. (NEVISDP-641)
  • UPGRADED: We upgraded Beanutil to 1.11.0. (NEVISDP-640)

nevisDetect

nevisDetect 8.2511.1.4 - 05.02.2026

Changes and new features

  • FIXED: (nevisdetectcl) build contains jakarta-jms-api
  • FIXED: Dependencies updated

nevisDetect 8.2511.0.4 - 26.11.2025

Changes and new features

  • FIXED: Dependencies updated
  • FIXED: Unresponsive dropdown for policy editing in the admin GUI
  • FIXED: BehavioSec notes generation issue for flag descriptions

nevisFido

nevisFIDO 8.2511.2.3 - 26.02.2026

Breaking changes

Changes and new features

  • FIXED: Downgraded the log message severity from ERROR to WARN when a specific user is not found in nevisIDM, in order to reduce log clutter. (NEVISFIDO-2593)
  • FIXED: The registration token redemption flow was hardened to prevent duplicate UAF session creation and database unique-key violations during concurrent redeem requests. (NEVISFIDO-2591)

nevisFIDO 8.2511.1.2 - 05.02.2026

Breaking changes

Changes and new features

  • NEW: JAVA_OPTS in env.conf supports variable resolution analog to nevisfido.yml. Note that the $ sign has to be escaped to \$. (NEVISFIDO-2567)
  • FIXED: Incorrect error handling caused deregistration to fail with HTTP 500 in certain scenarios. The isse is now fixed and we properly return HTTP 200 and fido status 1500. (NEVISFIDO-2566)
  • FIXED: The last login information of the user and the associated credentials were not updated correctly in nevisIDM at the end of the authentication flow. (NEVISFIDO-2581)
  • UPGRADED: We upgraded the Log4j third-party dependencies to version 2.25.3. (NEVISAUTH-5293)

nevisFIDO 8.2511.0.4 - 19.11.2025

Breaking changes

  • CHANGED: nevisFIDO now rejects requests upon Android Attestion key revocation check in the Full Basic Attestation when the Android Attestation CLR is missing. The nevisFIDO health endpoint now returns down status if the CRL cannot be fetched or failed to be updated for a specific time. The behaviour can be influenced for the failed update scenario by the new fido-uaf.full-basic-attestation.android-attestation-key-revocation.health-service-down-if-outdated-for property. (NEVISFIDO-2471)

  • CHANGED: The FIDO UAF configuration has been enhanced to support specifying multiple paths for both metadata and policy files. Previously, only a single file or directory path could be provided. With this update, administrators can now configure fido-uaf.metadata.paths and fido-uaf.policy.paths as lists of paths. The behavior and precedence when an inline value is provided remain unchanged. (NEVISFIDO-2505)

    # Migration Example
    ## Old configuration format:
    fido-uaf:
        metadata:
            path: conf/metadata
        policy:
            path: conf/policy

    ## New configuration format:
    fido-uaf:
        metadata:
            paths:
                - conf/metadata
        policy:
            paths:
                - conf/policy

Changes and new features

  • NEW: fido-uaf.full-basic-attestation.android-verification-level has a new value strict-strongbox which only allows keymaster security level StrongBox. (NEVISFIDO-2407)
  • NEW: nevisFIDO logs the client error code in case of UAF status code 1498. This helps in support scenarios and issue analysis. (NEVISFIDO-2439)
  • NEW: Configuration option login-info-update in the credential-repository allowing the sucessful/failed login counter increment in nevisIdm to be limited to authentication only and exclude transaction confirmation. (NEVISFIDO-2444)
  • NEW: New configuration option for the session-repository: max-connection-idle-time allowing to configure how long idle connections should be kept in the pool. (NEVISFIDO-2452)
  • NEW: The new Android root certificate required for Full Basic Attestation rolled out in February 2026 has been added to the UAF metadata file. (NEVISFIDO-2489)
  • NEW: The UAF credentials have been enhanced to store the AttestationType at the time of registration. This information is saved in a new optional field in nevisIDM. (NEVISFIDO-2491)
  • NEW: A request-scoped credential cache for FIDO UAF credentials has been introduced to improve performance. It is enabled by default and can be controlled via the credential-repository.credential-cache-enabled configuration setting. (NEVISFIDO-2482)
  • NEW: Integrated new nevisIDM REST endpoints for bulk login information updates, bulk UAF credential signature counter updates, and searching multiple UAF credentials by AAID and Key ID pairs. (NEVISFIDO-2514)
  • CHANGED: default value of fido-uaf.full-basic-attestation.android-verification-level now also includes the validation of AttestationApplicationId. (NEVISFIDO-2470)
  • CHANGED: Strengthened the security of the FIDO UAF registration process by enhancing the cryptographic validation of authenticator attestation data. (NEVISFIDO-2476, NEVISFIDO-2481)
  • CHANGED: Add support of FIDO UAF Full Basic Attestation for some additional Xiaomi devices. (NEVISFIDO-2511)
  • CHANGED: Jackson configuration FAIL_ON_TRAILING_TOKENS is now enabled which supposedly fixes some of the SocketException: Broken pipe type errors when connecting to nevisFIDO. (NEVISFIDO-2517)
  • FIXED: Failure of downloading the key revocation list from Google on startup with a socket timeout caused nevisFIDO to be not reporting healthy. (NEVISFIDO-2425)
  • FIXED: Supplying the value null for the optional fields userAgent or userFriendlyName in the json payload for ServerPublicKeyCredentialForRegistration no longer causes a parsing error. (NEVISFIDO-2445)
  • FIXED: Cleaned up the default Attestation Root Certificates in the metadata-statements.json supplied in the default instance templates and in the documentation. (NEVISFIDO-2460)
  • FIXED: credential-repository configuration option user-attribute is now properly defaulting to extId when it is not configured. (NEVISFIDO-2444)
  • FIXED: Resolving an issue where inline UAF metadata values exceeding 10,000 characters could cause errors. (NEVISFIDO-2462)
  • FIXED: Resolving a nevisFIDO error response triggered by incorrect handling of credential states tmp-locked, fail-locked, reset-code, admin-changed for FIDO-UAF / FIDO2 / Generic credentials. (NEVISFIDO-2494)
  • UPGRADED: We upgraded the Apache Httpclient third-party dependency to version 5.5.1. (NEVISFIDO-2473)
  • UPGRADED: We upgraded the Bouncy Castle third-party dependencies to version 1.82. (NEVISFIDO-2473)
  • UPGRADED: We upgraded the Checker-qual third-party dependency to version 3.51.2. (NEVISFIDO-2473)
  • UPGRADED: We upgraded the Google-api-client third-party dependency to version 2.8.1. (NEVISFIDO-2473)
  • UPGRADED: We upgraded the Google Api services third-party dependencies to version v1-rev20250828-2.0.0. (NEVISFIDO-2473)
  • UPGRADED: We upgraded the Google-auth-library third-party dependency to version 1.40.0. (NEVISFIDO-2473)
  • UPGRADED: We upgraded the Guava third-party dependencies to version 33.5.0-jre. (NEVISFIDO-2473)
  • UPGRADED: We upgraded the HikariCP third-party dependencies to version 7.0.2. (NEVISFIDO-2473)
  • UPGRADED: We upgraded the Jackson third-party dependencies to version 2.20.1. (NEVISFIDO-2473)
  • UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.29. (NEVISFIDO-2473)
  • UPGRADED: We upgraded the Log4j third-party dependencies to version 2.25.2. (NEVISFIDO-2473)
  • UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.5.6. (NEVISFIDO-2473)
  • UPGRADED: We upgraded the Nimbus JWT third-party dependency to version 10.5. (NEVISFIDO-2473)
  • UPGRADED: We upgraded the Opentelemetry api third-party dependency to version 1.55.0. (NEVISFIDO-2473)
  • UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.8. (NEVISFIDO-2429)
  • UPGRADED: We upgraded the Spring Boot third-party dependency to version 3.5.7. (NEVISFIDO-2473)
  • UPGRADED: We upgraded the Webauthn4j third-party dependency to version 0.30.0.RELEASE. (NEVISFIDO-2473)
  • REMOVED: The commons-logging library was removed because it caused warnings and is no longer needed since Spring provides its own solution. (NEVISFIDO-2467)

nevisIDM

nevisIDM 8.2511.3.0 - 26.02.2025

Application versionMinimal required database schema versionMaximal supported database schema version
8.2511.3.07.397.x

General changes and new features

  • UPGRADED: We upgraded com.sun.mail:jakarta.mail. (NEVISIDM-10548)
  • IMPROVED: The property uniqueness check performs only if necessary. (NEVISIDM-10555)
  • IMPROVED: The latest installed DB version calculation improved. (NEVISIDM-10572)

nevisIDM 8.2511.2.3 - 05.02.2025

Application versionMinimal required database schema versionMaximal supported database schema version
8.2511.2.37.397.x

General changes and new features

  • UPGRADED: We upgraded Java in docker image to OpenJDK "21.0.10" 2026-01-20 LTS.
  • FIXED: Lazy operation problem fixed in connection with verify certificate. (NEVISIDM-10485)
  • FIXED: Checksum problems fixed for DB version 7.31.1 (upgrading from 8.2505.5 and 8.2511.0). (NEVISIDM-10489)
  • IMPROVED: Performance of user history is improved by using origId instead of extId if available. (NEVISIDM-10503)
  • CHANGED: Underline is not considered as wildcard anymore in GUI. (NEVISIDM-10500)
  • FIXED: SOAP operation bulkGetAllUsers problem fixed if timestamp is given. (NEVISIDM-10494)
  • FIXED: Lazy operation problem fixed in connection with user creation. (NEVISIDM-10521)

nevisIDM 8.2511.1.6 - 11.12.2025

Application versionMinimal required database schema versionMaximal supported database schema version
8.2511.1.67.397.x

General changes and new features

  • NEW: Configuration application.idm.jwt.check.disabled introduced for self-admin JWT token validation. (NEVISIDM-10218)
  • FIX: Security question related problem fixed in SCIM patch operation. (NEVISIDM-10327)
  • FIX: Disallow to replace extId in SCIM Patch operation. (NEVISIDM-10449)
  • FIX: SAML credential uniqueness check problem fixed. (NEVISIDM-10450)
  • FIX: IDM now sets statement timeout for each SQL statement to avoid infinite waiting for locks. (NEVISIDM-10451)
  • FIX: Property cache synchronization related problems fixed. (NEVISIDM-10452)
  • FIX: Missing backport done for NEVISIDM-10299. (NEVISIDM-10463)
  • FIX: Database health indicator fixed to indicate DOWN state correctly. (NEVISIDM-10478)
caution

There is a known issue in this and in the previous release 8.2511.0.4. In some cases, the X509-based authentication runs into transactional error, violating our efforts to disable Lazy Load in Hibernate. We will fix this in next fix-pack January, but until, if you encounter the LazyInitializationException error, please add the following option to your JVM arguments: -Dhibernate.enable_lazy_load_no_trans=true.

nevisIDM 8.2511.0.4 - 26.11.2025

Application versionMinimal required database schema versionMaximal supported database schema version
8.2511.0.47.397.x

Breaking changes

nevisIDMDB migration

7.31.1 Migration in 8.2505.5.4 and 8.2511.0.4 has different checksums for MariaDB databases. If you are experiencing issues during migration on MariaDB, please read the Step 3.1 of the Upgrading section below.

General changes and new features

General/Core

  • UPGRADED: Flyway upgraded to 11.8.2. (NEVISIDM-9969)
  • UPGRADED: Quartz upgraded to 2.5.0. (NEVISIDM-9972)
  • UPGRADED: Hibernate and related artifacts upgraded. (NEVISIDM-9973)
    • Hibernate core upgraded to 7.0.6.Final.
    • Hibernate Commons Annotations upgraded to 7.0.3.Final.
    • Hibernate Validator upgraded to 9.0.0.Final.
    • Hibernate Search upgraded to 8.0.0.Final.
  • UPGRADED: JaxWs and related artifacts upgraded. (NEVISIDM-9990)
    • JaxWs core upgraded to 4.0.3.
    • CXF upgraded to 4.1.2
    • JaxWs API upgraded to 4.0.3.
    • Jakarta XML Bind API upgraded to 4.0.0.
    • Glassfish Jaxb Runtime upgraded to 4.0.4.
  • NEW: New note introduced for IdmCreateUserState as error.message. (NEVISIDM-10083)
  • FIXED: Now deleted Units only displayed once. (NEVISIDM-10133)
  • UPGRADED: Bean Utils upgraded to 1.11.0. (NEVISIDM-10158)
  • FIXED: Fixed issue where on Profile Search page include sub-units toggle was disregarded (NEVISIDM-10164)
  • UPGRADED: We upgraded postgresql driver to 42.7.7. (NEVISIDM-10172)
  • NEW: OpenApi descriptor introduced to REST services and DTOs. (NEVISIDM-10174)
  • IMPROVED: IdmCreateUserState now updates ch.adnovum.nevisidm.user.extId in session if loadUser=true. (NEVISIDM-10181)
  • CHANGED: Modified Database Connection Health Check: Now connection is considered healthy if at least one connection is avialable, to not display false down messages if maintenance interval and health check are running at the same time. (NEVISIDM-10193)
  • FIXED: Languages codes now conform with standard ISO639. (NEVISIDM-10201)
  • NEW: User Search now accepts escape character for wildcard, configurable by application.database.escapeCharacter. (NEVISIDM-10213)
  • FIXED: UpdateUserStateJob now does not duplicate last previous modification comment. (NEVISIDM-10223)
  • CHANGED: Four default value of DB connection related parameters changed. (NEVISIDM-10227)
    • The database.connection.pool.size.min is now by default 10.
    • The database.connection.pool.size.max is now by default 50.
    • The database.connection.borrow.connection.timeout is now by default 3600.
    • The database.connection.xa.enabled is now by default false (since provisioning is also OFF by default).
  • FIX: Fixed maximum length validation of FIDO2 credentials for the REST API, and User friendly name field in the Web GUI. (NEVISIDM-10255)
  • CHANGED: The Hibernate option hibernate.enable_lazy_load_no_trans is now false, that disallows temporary transactions and improves performance. (NEVISIDM-10256)
  • UPGRADED: CXF upgraded to 4.1.3. (NEVISIDM-10275)
  • UPGRADE: We upgraded Spring Framework to 6.2.10. (NEVISIDM-10273)
  • NEW: Added List all Applications endpoint to Application Rest Service. (NEVISIDM-10330)
  • NEW: Introduced configuration database.connection.read.only.maintenance.interval and database.connection.maintenance.interval to make atomikos maintenance interval configurable. (NEVISIDM-10343)
  • NEW: Introduced new configuration parameter to declare for which externally validated credential types the temporary and final locks are calculated by IDM application.externally.validated.credentials.lock.calculation.type. (NEVISIDM-10370)
  • UPGRADE: We upgraded netty to 4.1.128.Final. (NEVISIDM-10387)
  • NEW: Added application.ignore.plain.value.at.password.generation configuration property with default true value. Configures whether plain value for password credential should be ignored or throw an exception if resetCode policy is true. (NEVISIDM-10396)
  • FIX: Unified error handling of history requests when the requested entity does not exist. (NEVISIDM-10407)
  • FIX: Database level lock type corrected for login Id generator to fix transactional problems on PostgreSQL. (NEVISIDM-10408)
  • FIX: Transactional demarcation problem fixed for Client loader on startup. (NEVISIDM-10412)

REST API

  • NEW: PATCH operation added to our SCIM implementation. See OpenAPI documentation for more details and sample requests. (NEVISIDM-8374)
  • CHANGED: The field 'state' added to GetUnit DTO in core REST services. (NEVISIDM-10236)
  • CHANGED: Modify of appID is now allowed for the FIDO UAF credentials. (NEVISIDM-10252)
  • NEW: REST API support added for SAML credentials. (NEVISIDM-10263)
  • NEW: REST API support added for Ticket credentials. (NEVISIDM-10264)
  • NEW: REST API support added for Device password credentials. (NEVISIDM-10266)
  • NEW: REST API support is now complete for OATH credentials (the missing PATCH added). (NEVISIDM-10271)
  • NEW: Introduced alternative url for Device Password REST Service https://<your_host>/{clientExtId}/users/{userExtId}/device-passwords. (NEVISIDM-10346)
  • FIX: Unified special attribute handling in credential rest services. (NEVISIDM-10371)
  • FIX: Generic credential creation moved into one transaction. (NEVISIDM-10381)
  • NEW: Bulk endpoints introduced to improve FIDO UAF performance. (NEVISIDM-10286)

nevisLogRend

nevisLogrend 8.2511.1.2 - 05.02.2026

Breaking changes

Changes and new features

  • UPGRADED: We upgraded the Log4j third-party dependencies to version 2.25.3. (NEVISAUTH-5293)

nevisLogRend 8.2511.0.2 - 19.11.2025

Breaking changes

Changes and new features

  • FIXED: $utils.escapeXml() function accidentally doing the same as escapeJs. (NEVISLOG-573)
  • FIXED: Incorrectly rendered JSON response is fixed when the label and value GuiElem attributes contain special characters. Now those are properly escaped according to JSON escaping using the new $utils.escapeJson() function. Note that the fix was applied in json.vm so in case of existing instances the json.vm either must copied over from the templates or the file has to patched manually where the "$guiElem.label)" must be replaced with "$utils.escapeJson($guiElem.label)" same goes for the "$guiElem.value". (NEVISLOG-573)
  • UPGRADED: We upgraded the Commons-beanutils third-party dependency to version 1.11.0. (NEVISLOG-567)
  • UPGRADED: We upgraded the Commons-cli third-party dependency to version 1.10.0. (NEVISLOG-581)
  • UPGRADED: We upgraded the Commons-lang3 third-party dependency to version 3.19.0. (NEVISLOG-575)
  • UPGRADED: We upgraded the Commons-text third-party dependency to version 1.14.0. (NEVISLOG-579)
  • UPGRADED: We upgraded the Guava third-party dependencies to version 33.5.0-jre. (NEVISLOG-579)
  • UPGRADED: We upgraded the Jackson third-party dependencies to version 2.20.1. (NEVISLOG-579)
  • UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.29. (NEVISLOG-579)
  • UPGRADED: We upgraded the Log4j third-party dependencies to version 2.25.2. (NEVISLOG-579)
  • UPGRADED: We upgraded the Opentelemetry api third-party dependency to version 1.55.0 (NEVISLOG-579)

nevisMeta

nevisMeta 8.2511.1.3 - 05.02.2026

Breaking changes

Changes and new features

  • UPGRADED: We upgraded the Log4j third-party dependencies to version 2.25.3. (NEVISMETA-2321)
  • UPGRADED: We upgraded the Slf4j third-party dependencies to version 2.0.17. (NEVISMETA-2321)

nevisMeta 8.2511.0.4 - 26.11.2025

Breaking changes

  • Permanently deleting Resource Servers will also delete Refresh Tokens that use scopes from the deleted Resource Servers. (NEVISMETA-2143)
  • REMOVED: We removed the deprecated property includeSoftDeletedStatesPerDefault. From now on, the only way to include soft deleted states in a REST call is to set the query parameter includeSoftDeletedStates to true.

Changes and new features

  • NEW: We have improved the documentation of logging categories in the Reference Guide. (NEVISMETA-2069)
  • NEW: We have updated the file logging.yml in the instance templates. (NEVISMETA-2069)
  • UPGRADED: We upgraded the jetty third-party dependency to 12.0.23. (NEVISMETA-2244)
  • UPGRADED: We upgraded the Jackson third-party dependency to 2.18.4. (NEVISMETA-2300)
  • FIXED: There was an error when permanently deleting Resource Servers having scopes used by Refresh Tokens. (NEVISMETA-2143)

nevisProxy

nevisProxy 8.2511.2 - 5.2.2026

Changes and new features

  • NEW: The OpenTelemetry implementation supports now the ExportType https. (NEVISPROXY-7747)
  • FIXED: We fixed the issue that high CPU usage have been caused after the upgrade to OpenSSL 3.5. (NEVISPROXY-7752)
  • CHANGED: We improved the URL encoding when using ClearFrames in the IdentityCreationFilter. (NEVISPROXY-7753)
  • UPGRADED: We upgraded to Apache HTTP Server 2.4.66. (NEVISPROXY-7742)
  • UPGRADED: We upgraded to OpenSSL version 3.5.5. (NEVISPROXY-7772)

Notes

Upgrade to apache httpd/2.4.66

The security issue CVE-2025-23048 fix in apache httpd 2.4.64 which had be weakened in nevisProxy version 8.2505.5 is now fully implemented.

Requests using a Kubernetes setup could now be blocked with the status code 421 ("Misdirected Request") if the ingress is not SNI aware. See also https://bz.apache.org/bugzilla/show_bug.cgi?id=69743. In that case you can weaken the protection via the new parameter SSLVHostSNIPolicy in navajo.xml. We recommend to do this only if your entrypoint itself is protected against CVE-2025-23048.

nevisProxy 8.2511.1 - 11.12.2025

Changes and new features

  • FIXED: We fixed the issue that the ErrorFilter did block the 'Set-Cookie' header when it was set in the `Keep-Headers' parameter. (NEVISPROXY-7731)
  • CHANGED: The "nevisproxy" CLI tool no longer modifies LD_LIBRARY_PATH when it calls system binaries. (NEVISPROXY-7739)

nevisProxy 8.2511.0 - 26.11.2025

  • NEW: We added the function luaEscape to the Helper class. (NEVISPROXY-7688)
  • NEW: We made the CountryIpFilter's database lookup customizable with the new parameter EnvMap. (NEVISPROXY-7678)
  • NEW: We added %ot and %os to the ch.nevis.navajo.tracing.TraceId.Format. (NEVISPROXY-7628)
  • NEW: We added the parameter 'IsAliveURI.EnablePing' to the LoadBalancingServlet. (NEVISPROXY-7617)
  • NEW: We added the QosFilter. (NEVISPROXY-7616)
  • NEW: We added the parameters FailoverThresholdCount and FailoverThresholdCount.LifeTime to the LoadBalancerServlet. (NEVISPROXY-7596)
  • NEW: We added the parameter IsAliveURI.StatusCodes to the LoadBalancerServlet. (NEVISPROXY-7595)
  • NEW: We added the algorithm failover to the LoadBalancerServlet. (NEVISPROXY-7594)
  • NEW: We added standard port rewriting support to the RewriteResponseRequestUri and RewriteResponsePathInfo profiles. (NEVISPROXY-6106)
  • FIXED: We fixed the issue that the PostgresSessionStoreServlet did not work properly if used inside a MultiLevelSessionStoreServlet. (NEVISPROXY-7710)
  • FIXED: We fixed the issue that the invS was not logged for the LogoutURI call in the HttpConnectorServlet. (NEVISPROXY-7696)
  • FIXED: We fixed the issue that the close notify alerts from backend were ignored. (NEVISPROXY-7674)
  • FIXED: We fixed the issue that timeouts were ignored in the configured ForwardProxy in the BackendConnectorServlet. (NEVISPROXY-7653)
  • FIXED: We fixed the WebsocketServlet to work with a HeaderRewriteFilter. (NEVISPROXY-7636)
  • FIXED: We fixed the issue that the rewriting profiles for the BackendConnectorServlet did not work correctly if the default ports were written in the URL. (NEVISPROXY-7002)
  • FIXED: We fixed the issue that long lasting websocket connections could be closed because of a session timeout. (NEVISPROXY-6085)
  • CHANGED: The Query Parameter of the frontend aren't sent any longer to the MaintenanceServlet in the MaintenanceFilter. (NEVISPROXY-7717)
  • CHANGED: We improved the Cookie tracing in NProxyOP . (NEVISPROXY-7668)
  • CHANGED: We added a workaround for the deprecated Apache parameter SSLCertificateChainFile. (NEVISPROXY-7610)
  • CHANGED: The FileReaderServlet supports now json files by default as well. (NEVISPROXY-7603)
  • CHANGED: The synchronization between the MainServlet and the BackupServlet of the MultiLevelSessionStoreServlet has been improved. (NEVISPROXY-7586)
  • CHANGED: We improved the KeepAlive Connection Pool behaviour of the BackendConnectorServlet. (NEVISPROXY-7476)
  • CHANGED: The tracegroups NavajoOp and NProxyOp trace now as well the number of bytes received by the frontend. (NEVISPROXY-7448)
  • CHANGED: The session reaping has been improved in the PostgreSQLCacheTable. (NEVISPROXY-6613)
  • CHANGED: For the parameters RequestURL, RequestURI, RequestHeader and ResponseHeader of the RewriteFilter Condition support has been improved. (NEVISPROXY-6088)
  • UPGRADED: We upgraded to nghttp2 1.68.0. (NEVISPROXY-7714)
  • UPGRADED: We upgraded to OpenSSL version 3.5.4. (NEVISPROXY-7692)
  • UPGRADED: We upgraded the libprimus library to version 2.4.0 in the nevisProxy docker image. (NEVISPROXY-7662)
  • UPGRADED: We upgraded to Apache httpd 2.4.64. (NEVISPROXY-7650)
  • DEPRECATED: We deprecated the attributes generalResourceDir and useStyleSheet in navajo.xml. (NEVISPROXY-7713)
  • DEPRECATED: We deprecated the parameter CookieManager.PassthroughParsed in the CookieCacheFilter. (NEVISPROXY-7642)
  • DEPRECATED: We deprecated the getVersion/setVersion cookie rewriting in the LuaFilter and RewriteFilter. (NEVISPROXY-7605)
  • DEPRECATED: We deprecated the legacy nevisproxy pkcs#11 URLs. (NEVISPROXY-7186)
  • REMOVED: We removed the support of Set-Cookie2 headers. (NEVISPROXY-6449)
  • DOCUMENTATION: We documented how to configure the Securosys OpenSSL provider for backend connections. (NEVISPROXY-7556)
info

This nevisProxy 8.2511 November 2025 release is the last version of the current rolling release (8.x). It will become the base of the next LTS release in May (8.2605.x). As of May, the major versions of the new rolling releases start with version number "9". Check the Appendix H (Deprecation List) in order to see what will be removed in this new rolling release.

Notes

Backward compatibility issues
OpenSSL upgrade
  • RSA keys are now required to be at least 2048 bits long
  • Certain old ciphers might no longer be usable
The apache parameter SSLCertificateChainFile

The SSLCertificateChainFile has been deprecated by Apache. Therefore nevisProxy will merge the file configured as SSLCACertificateFile with the file configured as SSLCertificateChainFile and store the result in a new file saved into the /var/opt/nevisproxy/<instance>/run directory. This file will be set as SSLCACertificateFile.

If for some reason the proxy doesn't start after this merge you have two options:

As a quick fix (to not be blocked) you can set the bc property:

ch.nevis.navajo.AllowSSLCertificateChainFile=true

As a proper fix, use only the attribute SSLCACertificateFile. Put into the configured file the end-entity (leaf) certificate followed by the intermediate CA certificates, sorted from leaf to root.
See also https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile

RewriteFilter refactoring

Due to the refactoring of the RewriteFilter those parameters behaves differently if a condition is set:

  • RequestURL
  • RequestURI
  • RequestHeader
  • ResponseHeader

If a Condition is followed by several rules you have to add a Pragma block begin/end to behave as before.

For example if the configuration looks like this:

Condition:HEADER:test-case:^requestheader$
Req-header-1:value1:value_one
Req-header-2:value2:value_two

You have to change it to:

Condition:HEADER:test-case:^requestheader$
Pragma: block-begin
Req-header-1:value1:value_one
Req-header-2:value2:value_two
Pragma: block-end

Without this change, only the first entry after the Condition will be triggered if the condition matches. The subsequent entry will always be triggered.

For more information about conditional parameters see the chapter Conditional parameters and pragmas.

NProxyOP and NavajoOP tracing

In NProxyOP and NavajoOP tracing we trace the number of received bytes by the frontend (bRF in NProxyOP, bF in NavajoOP). You might have to adapt any scripts which parses these log lines.

Set-Cookie2 headers and RFC 2109 based cookies

The Set-Cookie2 header is now considered like any other header and is not handled as a Cookie header any longer. The cookies have now to be RFC 6265 compliant.

nevisOperator

nevisoperator 8.2511.2 - 26.02.2026

  • NEW: We added support for Gateway API. (IP-1263)
  • CHANGED: We upgraded the Go version to 1.25.7. (IP-1263)

nevisoperator 8.2511.1 - 05.02.2026

  • CHANGED: Setting the Go flag x509negativeserial=1 to allow processing of certificates with negative serial. (NEVISADMV4-10668)

Tools

nevis-ubi-tools 1.5.0 - 26.02.2026

  • CHANGED: New tools were added: java21, openssl and kubectl. (IP-1409)

Component versions

The following versions are part of this release. All of them are under Full Support until the next RR upgrade becomes available.

ComponentArtifact nameVersion**RHEL 8*RHEL 9*SLES 15*
nevisAppliancenevisappliance8.2511.3.0
8.2511.2.0
8.2511.1.0
8.2511.0.0		n/an/an/a
nevisAdaptnevisadapt8.2511.2.5
8.2511.1.3
8.2511.0.6
nevisAdmin 4nevisadmin48.2511.3.1
8.2511.2.5
8.2511.1.1
8.2511.0.9
nevisAuthnevisauth8.2511.3.1
8.2511.2.3
8.2511.1.2
nevisCredneviscred2.0.20.0
nevisDataPorternevisdp8.2511.2.2
8.2511.1.2
8.2511.0.4
nevisDetectnevisdetect
nevisdetectcl		8.2511.1.4
8.2511.0.4
nevisFIDOnevisfido
nevisfidocl		8.2511.2.3
8.2511.1.2
8.2511.0.4
nevisIDMnevisidm
nevisidmcl
nevisidmdb		8.2511.3.0
8.2511.2.3
8.2511.1.5
8.2511.0.4
nevisIDMadnooprint7.2311.0.6565033000
nevisKeyboxneviskeybox2.2.5.0
nevisLogRendnevislogrend8.2511.1.2
8.2511.0.2
nevisMetanevismeta8.2511.1.3
8.2511.0.4
nevisProxynevisproxy8.2511.2.1
8.2511.1.0
8.2511.0.0
Ninjaninja8.2505.3.1n/an/an/a
Ninwinninwin2.3.5.0n/an/an/a

*) Tested with the latest available patch level.

**) Versions in bold changed compared to the previous release.

Third-party dependencies

The following third-party software is often used by Nevis components. Some of the software is included within nevisAppliance.

Below you find the latest supported versions.

Third-Party SoftwareVersion
JVM (OpenJDK)✅ 21.0.10
MariaDB✅ 11.4
PostgreSQL✅ 17

Mobile Apps

Mobile apps and the Mobile SDK are released independently of the component releases. Refer to the following pages: