Releases: gogatekeeper/gatekeeper
Releases · gogatekeeper/gatekeeper
2.9.4
2.9.4-rc2
2.9.4-rc1
2.9.3
SECURITY NOTICE:
As fork of louketo-proxy we inherited IMPERSONATION type security vulnerability. There are 2 levels of impact: 1. Unaffected 2. Affected (High Risk)
- Unaffected - if you use one of these options, you are not susceptible to this attack:
--enable-encrypted-token=true--store-url=<redis-url>--enable-idp-session-check=true
- High Risk - if you don't use one of above options
Quick migitation: Enable at least one of above mentioned options
Normal migitation: Upgrade to latest version >=2.9.3
Enhance security: additionally beside upgrade to >=2.9.3 enable one of mentioned options (encryption, store_url, enable-idp-session-check)
Short Description of vulnerability: existing user in your userbase might impersonate other user in your userbase
Detailed description will be provided in 1-2 months (from security reasons)
What's Changed
- Update HMAC description docu by @p53
- Refactor handlers by @p53, Pierre Bogossian bogossian@mail.com, Nikifor Georgiev
- Generate UMA ticket when invalid UMA token but valid resource accessed by @p53
- Enable to use openid-provider-proxy settings in all requests to keycloak by @p53
- Update docu for 2.9.1 by @p53
- Turn off issuer, client id check for refresh token by @p53
- Turn off tok verif refresh by @p53
- Update docu for 2.9.2 by @p53
- Remove refresh token validation, add e2e tests by @p53
- Add tests for skipopenidtlsverify by @p53
- Fix resources-stringslice parsing after urfavecli to v2 upgrade by @p53
- Update docs 2.9.3 by @p53
Contributors
p53