v2.32.7

Changelog

BREAKING CHANGES

• fix(coderd)!: restrict OIDC email fallback to first-time account linking (#25712, 670cd42)
• fix!: reject OIDC login when email_verified claim is non-bool or absent (#25713, 0fbee8f)
• fix!: validate HostnameSuffix and SSHConfigOptions' (#26154, 2dcde52) (@johnstcn)
• fix!: only trust x-forwarded-host from configured trusted proxies (conflicts) (#26204, a992c2c) (@geokat)

Bug fixes

• Clamp template port sharing level in SubAgentAPI (#26061, 5621b75)
• Use a random value for a simulated hash for built-in users (#26205, 027cf9a) (@sreya)
• Require update permission to recreate devcontainers (#25812, cc895f6)
• Escape agent log HTML (#25808, d3e330c)
• Escape appearance values in HTML output (#25804, 74f08d1)
• Server: Verify workspace owner matches app username (#26085, 4c968b6) (@geokat)
• Server: Prevent cross-tenant workspace app rebinding (#26103, 8e0a083) (@dylanhuff-at-coder)
• Agent: Prevent command injection in shell execer (#26235, 94ee8fb) (@zedkipp)
• Validate agent-supplied AllowedIPs in coordinator (#26144, fa933af) (@f0ssel)
• Prevent session token exfiltration via external app URLs (#26146, 37332e6) (@zedkipp)
• Server: Prevent user-admin from resetting owner password (#25709, 931d4fa)
• Reject oversized and invalid zip uploads (#25877, 1f6ccf9)
• Validate FileSize in NewDataBuilder to prevent OOM DoS (#25710, 2cabbc3)
• Rename bundled rstudio.svg to rproject.svg, add real RStudio icon (#26216, eb297f3) (@nickvigilante)
• Check user user is active in aibridge auth (conflicts) (#26173, 5114fd4) (@pawbana)
• Always verify TLS on aibridgeproxyd upstream transport (#26131, 0374b00) (@ssncferreira)

Chores

• Backport release action (#26143, 7ef8201)

Compare: v2.32.6...v2.32.7

Container image

• docker pull ghcr.io/coder/coder:2.32.7

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.