v2.29.17
Changelog
BREAKING CHANGES
- Only trust x-forwarded-host from configured trusted proxies (#26204, 77896dd) (@geokat)
- fix(coderd)!: restrict OIDC email fallback to first-time account linking (#25712, ed7e924)
- fix!: reject OIDC login when email_verified claim is non-bool or absent (#25713, 3db810c)
- fix!: validate HostnameSuffix and SSHConfigOptions' (#26154, 320e549)
Bug fixes
- Server: Verify workspace owner matches app username (#26085, e01d3f4)
- Reject oversized and invalid zip uploads (#25877, 069f6cf)
- Escape agent log HTML (#25808, a51dbcf)
- Agent: Prevent command injection in shell execer (#26235, 4aa84f2) (@zedkipp)
- Server: Prevent user-admin from resetting owner password (#25709, 833eaf8)
- Validate FileSize in NewDataBuilder to prevent OOM DoS (#25710, 6f5ff1b)
- Validate agent-supplied AllowedIPs in coordinator (backport #26144) (#26295, 9181b84)
- Server: Prevent cross-tenant workspace app rebinding (#26103, c05b4d9) (@dylanhuff-at-coder)
- CLI: Prevent session token exfiltration via external app URLs (#26146, 2044599) (@zedkipp)
- Clamp template port sharing level in SubAgentAPI (#26061, c1889d0)
- Server: Use a random value for a simulated hash for built-in users (#26205, 0951f90)
- Server: Require update permission to recreate devcontainers (#25812, 18ded82)
- Dashboard: Escape appearance values in HTML output (#25804, 77253bf)
Compare: v2.29.16...v2.29.17
Container image
docker pull ghcr.io/coder/coder:2.29.17
Install/upgrade
Refer to our docs to install or upgrade Coder, or use a release asset below.
Contributors
geokat, zedkipp, and dylanhuff-at-coder