BAU: Bump com.yubico:webauthn-server-core from 2.8.1 to 2.9.0

[dependabot]

Bumps com.yubico:webauthn-server-core from 2.8.1 to 2.9.0.

Release notes

Sourced from com.yubico:webauthn-server-core's releases.

Version 2.9.0

webauthn-server-core:

Security fixes:

• Fixed issue where RelyingParty.finishAssertion and RelyingPartyV2.finishAssertion could return a successful authentication result even though the authenticated credential is owned by a different user than StartAssertionOptions.username. For details see YSA-2026-02: https://www.yubico.com/support/security-advisories/ysa-2026-02/
  • This fix is forward-ported from version 2.8.2 since the issue is also present in pre-release 2.9.0-alpha1.

Fixes:

• Added @since tags to AttestationTrustSource javadoc.

webauthn-server-attestation:

Changes:

• FidoMetadataDownloader builder method .downloadBlob(URL) now logs a warning if the given URL is not an HTTPS URL. Javadoc relaxed to not describe HTTPS as required since this was never enforced.

New features:

• Added AuthenticatorStatus.RETIRED and Filters.notRetired().
• Added AttachmentHint.ATTACHMENT_HINT_SMART_CARD.
  • Thanks to Misagh Moayyed and Erlend Nukke for the contribution, see Yubico/java-webauthn-server#468 and Yubico/java-webauthn-server#467
• Added UNKNOWN constant to all enums in com.yubico.fido.metadata:
  • AttachmentHint
  • AuthenticationAlgorithm
  • AuthenticatorAttestationType
  • CtapCertificationId
  • CtapPinUvAuthProtocolVersion
  • CtapVersion
  • ProtocolFamily
  • PublicKeyRepresentationFormat
  • TransactionConfirmationDisplayType
• Added enum constant CtapVersion.FIDO_2_3.
• Added missing fields to FIDO MDS data model:
  • AuthenticatorGetInfo: attestationFormats, longTouchForReset, uvCountSinceLastPinEntry, transportsForReset, pinComplexityPolicy, pinComplexityPolicyURL, maxPINLength, authenticatorConfigCommands
  • BiometricAccuracyDescriptor: iAPARThreshold
  • MetadataStatement: friendlyNames, iconDark, providerLogoLight, providerLogoDark, keyScope, multiDeviceCredentialSupport, cxpConfigURL
  • StatusReport: certificationProfiles, sunsetDate, fipsRevision, fipsPhysicalSecurityLevel
• FidoMetadataDownloader now sends the If-None-Match request header set to the "no" of the cached BLOB, if any, and handles 304 Not Modified responses appropriately.
• In FidoMetadataDownloader if a BLOB download request returns an HTTP failure status, but returns an ETag response header matching the "no" of the cached BLOB, if any, this is now interpreted like a successful 304 Not Modified response.
• Added .cachePolicy setting to FidoMetadataDownloader to allow dynamically opting out of falling back to cache when a BLOB download fails.

Fixes:

• Added @since tags to AuthenticatorStatus and FidoMetadataService javadoc.
• All com.yubico.fido.metadata enums now deserialize unknown values to UNKOWN instead of crashing the parser.

Artifacts built with openjdk version "17.0.18" 2026-01-20.

... (truncated)

Changelog

Sourced from com.yubico:webauthn-server-core's changelog.

== Version 2.9.0 ==

webauthn-server-core:

Security fixes:

• Fixed issue where RelyingParty.finishAssertion and RelyingPartyV2.finishAssertion could return a successful authentication result even though the authenticated credential is owned by a different user than StartAssertionOptions.username. For details see CVE-[TBD] or YSA-2026-02: https://www.yubico.com/support/security-advisories/ysa-2026-02/ ** This fix is forward-ported from version 2.8.2 since the issue is also present in pre-release 2.9.0-alpha1.

Fixes:

• Added @since tags to AttestationTrustSource javadoc.

webauthn-server-attestation:

Changes:

• FidoMetadataDownloader builder method .downloadBlob(URL) now logs a warning if the given URL is not an HTTPS URL. Javadoc relaxed to not describe HTTPS as required since this was never enforced.

New features:

• Added AuthenticatorStatus.RETIRED and Filters.notRetired().
• Added AttachmentHint.ATTACHMENT_HINT_SMART_CARD. ** Thanks to Misagh Moayyed and Erlend Nukke for the contribution, see Yubico/java-webauthn-server#468 and Yubico/java-webauthn-server#467
• Added UNKNOWN constant to all enums in com.yubico.fido.metadata: ** AttachmentHint ** AuthenticationAlgorithm ** AuthenticatorAttestationType ** CtapCertificationId ** CtapPinUvAuthProtocolVersion ** CtapVersion ** ProtocolFamily ** PublicKeyRepresentationFormat ** TransactionConfirmationDisplayType
• Added enum constant CtapVersion.FIDO_2_3.
• Added missing fields to FIDO MDS data model: ** AuthenticatorGetInfo: attestationFormats, longTouchForReset, uvCountSinceLastPinEntry, transportsForReset, pinComplexityPolicy, pinComplexityPolicyURL, maxPINLength, authenticatorConfigCommands ** BiometricAccuracyDescriptor: iAPARThreshold ** MetadataStatement: friendlyNames, iconDark, providerLogoLight,

... (truncated)

Commits

• fc2fff3 Release 2.9.0
• ada34a4 Add cachePolicy option to dynamically opt out of MDS cache fallback
• a218c2f Fix JavaDoc of FidoMetadataDownloader URL config incorrectly stating HTTPS is...
• ed1f50b Remodel NotModified from throwable to value type
• 983674d Add comment about resolving ETag for non-429 FIDO MDS responses
• 4016c5d Eliminate unnecessary lambda
• 08d4e9d Add YSA-2026-02 to 2.9.0 release notes too
• 66c75da Merge branch 'release-2.8.2' into release-2.9.0
• 6f92b2a Release 2.8.2
• 480051f Validate requested length in ByteArrayInputStream.read(int)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)