Releases: pomerium/pomerium
Releases · pomerium/pomerium
v0.20.1
Security
- This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.
What's Changed
- storage: ignore removed fields when deserializing the data by @backport-actions-token in #3772
- jwt: require logged in user to return .pomerium/jwt by @backport-actions-token in #3809
- oidc: fix token revocation by @backport-actions-token in #3818
- autocert: use atomic pointer to allow nil by @backport-actions-token in #3817
- identity: fix expired session deletion by @backport-actions-token in #3857
- postgres: return unknown records instead of skipping them (#3876) by @calebdoxsey in #3877
- identity: fix nil reference error when there is no authenticator by @backport-actions-token in #3932
Full Changelog: v0.20.0...v0.20.1
v0.19.2
Security
- This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.
What's Changed
- postgres: return an empty list of addresses on dns errors by @backport-actions-token in #3638
- ppl: support special characters in claim keys by @backport-actions-token in #3640
- authorize: enforce service account expiration by @backport-actions-token in #3662
- config: disable envoy admin by default, expose stats via envoy route by @backport-actions-token in #3684
- fileutil: update watcher to use fsnotify and polling (#3663) by @calebdoxsey in #3685
- httputil: remove error details by @backport-actions-token in #3705
Full Changelog: v0.19.1...v0.19.2
v0.18.1
Security
- This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.
What's Changed
- publish to any-distro (#3570) by @calebdoxsey in #3571
- postgres: remove not null constraint on data column of record changes table by @backport-actions-token in #3595
Full Changelog: v0.18.0...v0.18.1
v0.17.4
Security
- This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.
Full Changelog: v0.17.3...v0.17.4
v0.22.1
What's Changed
- envoyconfig: disable validation context when no client certificates are required by @calebdoxsey in #4152
Full Changelog: v0.22.0...v0.22.1
v0.22.0
Changelog
v0.22.0 (2023-05-01)
New
- config: default to authenticate.pomerium.app when authenticate url is not specified #4132 (@calebdoxsey)
- support loading route configuration via rds #4098 (@calebdoxsey)
- authenticate: have an option to trim the contents of the callback #4090 (@wasaga)
- urlutil: add version to query string #4028 (@calebdoxsey)
- authenticate: fix authenticate_internal_service_url for all in one #4003 (@wasaga)
- cryptutil: generate certificates from deriveca #3992 (@calebdoxsey)
- authenticate: only use csrf none for apple #3979 (@calebdoxsey)
- envoyconfig: preserve case of HTTP headers when using HTTP/1 #3956 (@calebdoxsey)
Fixed
- autocert: fix certmagic cache logging #4134 (@calebdoxsey)
- tls: wildcard catch-all cert must be at the end of cert list #4119 (@wasaga)
- store authenticate state on creation #4064 (@wasaga)
- authorize: move sign out and jwks urls to route, update issuer for JWT #4046 (@calebdoxsey)
- hpke: move published public keys to a new endpoint #4044 (@calebdoxsey)
- config: fix set_response_headers #4026 (@calebdoxsey)
- authorize: allow access to /.pomerium/webauthn when policy denies access #4015 (@calebdoxsey)
- authenticate: don't require a session for sign_out #4007 (@calebdoxsey)
- authenticate: fix identity provider id in encrypted query string #4006 (@calebdoxsey)
- derivecert: fix ecdsa code to be deterministic #3989 (@calebdoxsey)
- fix webauthn url #3983 (@calebdoxsey)
- lua: fix rewrite response headers to handle dashes in URLs #3980 (@calebdoxsey)
- authenticate: save the session cookie with a different name #3978 (@calebdoxsey)
- identity: fix nil reference error when there is no authenticator #3930 (@calebdoxsey)
- authenticate: always trust the passed in idp #3917 (@calebdoxsey)
Dependency
- chore(deps): bump github.com/google/go-jsonnet from 0.19.1 to 0.20.0 #4140 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.49.2 to 0.51.0 #4130 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.2 to 3.23.3 #4129 (@dependabot[bot])
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.50 to 7.0.52 #4128 (@dependabot[bot])
- chore(deps): bump github.com/rs/zerolog from 1.29.0 to 1.29.1 #4127 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.19 to 1.18.21 #4126 (@dependabot[bot])
- chore(deps): bump coverallsapp/github-action from 2.1.0 to 2.1.2 #4124 (@dependabot[bot])
- chore(deps): bump actions/setup-python from 4.5.0 to 4.6.0 #4123 (@dependabot[bot])
- chore(deps): bump docker/metadata-action from 4.3.0 to 4.4.0 #4122 (@dependabot[bot])
- chore(deps): bump google-github-actions/auth from 1.0.0 to 1.1.0 #4121 (@dependabot[bot])
- dependencies: upgrade go and envoy #4116 (@calebdoxsey)
- chore(deps): bump debian from
d4bbca2
to1fbdbcf
#4115 (@dependabot[bot]) - chore(deps): bump golang from
413cd9e
to73c225b
#4114 (@dependabot[bot]) - chore(deps): bump golang.org/x/oauth2 from 0.6.0 to 0.7.0 #4113 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.116.0 to 0.118.0 #4112 (@dependabot[bot])
- chore(deps): bump github.com/ory/dockertest/v3 from 3.9.1 to 3.10.0 #4111 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/client_golang from 1.14.0 to 1.15.0 #4110 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.33.1 to 4.33.3 #4109 (@dependabot[bot])
- chore(deps): bump actions/checkout from 3.5.0 to 3.5.2 #4108 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.5 to 1.31.2 #4106 (@dependabot[bot])
- chore(deps): bump golang.org/x/crypto from 0.7.0 to 0.8.0 #4105 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.114.0 to 0.116.0 #4104 (@dependabot[bot])
- chore(deps): bump golang from 1.20.2-buster to 1.20.3-buster #4103 (@dependabot[bot])
- chore(deps): bump distroless/base from
5812871
to357bc96
#4102 (@dependabot[bot]) - chore(deps): bump github.com/docker/docker from 23.0.1+incompatible to 23.0.3+incompatible #4101 (@dependabot[bot])
- chore(deps): bump coverallsapp/github-action from 2.0.0 to 2.1.0 #4100 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.112.0 to 0.114.0 #4096 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.50.1 to 0.51.0 #4093 (@dependabot[bot])
- chore(deps): bump github.com/opencontainers/runc from 1.1.2 to 1.1.5 #4088 (@dependabot[bot])
- chore(deps): bump debian from
c1c4bb9
tod4bbca2
#4085 (@dependabot[bot]) - chore(deps): bump golang from
57dbdd5
to97c3e1d
#4084 (@dependabot[bot]) - chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.10.0 to 0.10.1 #4083 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.53.0 to 1.54.0 #4082 (@dependabot[bot])
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.47 to 7.0.50 #4081 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.18 to 1.18.19 #4080 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.32.2 to 4.33.1 #4079 (@dependabot[bot])
- chore(deps): bump actions/stale from 7.0.0 to 8.0.0 #4077 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.9.1 to 0.10.0 #4074 (@dependabot[bot])
- chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.1 to 2.0.2 #4073 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.50.0 to 0.50.1 #4072 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.15 to 1.18.18 #4070 (@dependabot[bot])
- chore(deps): bump coverallsapp/github-action from 1.2.4 to 2.0.0 #4069 (@dependabot[bot])
- chore(deps): bump actions/checkout from 3.3.0 to 3.4.0 #4068 (@dependabot[bot])
- chore(deps): bump actions/setup-go from 3.5.0 to 4.0.0 #4067 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.31.2 to 4.32.2 #4066 (@dependabot[bot])
- chore(deps): bump golang from 1.20.1-buster to 1.20.2-buster #4060 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.17.5 to 1.17.6 #4059 (@dependabot[bot])
-...
v0.21.3
v0.21.2
Changelog
v0.21.2 (2023-02-23)
Changed
- authenticate: fix identity provider id in encrypted query string #4011 (@backport-actions-token[bot])
- authenticate: fix callback handler for split mode #4010 (@backport-actions-token[bot])
- authenticate: don't require a session for sign_out #4009 (@backport-actions-token[bot])
- authenticate: fix authenticate_internal_service_url for all in one #4005 (@backport-actions-token[bot])
- derivecert: fix ecdsa code to be deterministic #3991 (@backport-actions-token[bot])
- fix webauthn url #3988 (@backport-actions-token[bot])
- webauthn: only return known device credentials that match the given type #3987 (@backport-actions-token[bot])
v0.21.1
What's Changed
- authenticate: save the session cookie with a different name by @calebdoxsey in #3984
- lua: fix rewrite response headers to handle dashes in URLs by @calebdoxsey in #3986
Full Changelog: v0.21.0...v0.21.1
v0.21.0
Changelog
v0.21.0 (2023-02-09)
Changed
- docker: switch to debian #3939 (@backport-actions-token[bot])
- identity: fix nil reference error when there is no authenticator #3933 (@backport-actions-token[bot])
- authenticate: always trust the passed in idp #3931 (@backport-actions-token[bot])
- add google cloud creds to ignore #3907 (@backport-actions-token[bot])
- tls_derive: rename for consistency #3905 (@wasaga)
- envoyconfig: clean up filter chain construction #3844 (@calebdoxsey)
- use tlsClientConfig instead of custom dialer #3830 (@wasaga)
- controlplane: remove gorilla handlers dependency #3813 (@calebdoxsey)
- events: remove xds configuraton update #3792 (@wasaga)
Breaking
- proxy: add userinfo and webauthn endpoints #3755 (@calebdoxsey)
- remove forward auth #3628 (@calebdoxsey)
New
- scripts: update get-envoy script to download all binaries #3886 (@calebdoxsey)
- explicitly list gRPC services accessible via the gRPC listener #3879 (@wasaga)
- authenticate: add additional error details for hmac errors #3878 (@calebdoxsey)
- auto tls #3856 (@wasaga)
- mTLS: allow gRPC TLS for all in one #3854 (@wasaga)
- authorize: log check() error #3846 (@wasaga)
- config: add support for extended TCP route URLs #3845 (@calebdoxsey)
- derive CA from pre-shared key #3815 (@wasaga)
- httputil: ignore errors < 400 #3781 (@calebdoxsey)
- authenticate: implement hpke-based login flow #3779 (@calebdoxsey)
- identity: add identity profile #3777 (@calebdoxsey)
- urlutil: add time validation functions #3776 (@calebdoxsey)
- httputil: add cookie chunker #3775 (@calebdoxsey)
- config: add option for tls renegotiation #3773 (@calebdoxsey)
- hpke: add HPKE key to JWKS endpoint #3762 (@calebdoxsey)
- hpke: add hpke package #3761 (@calebdoxsey)
Fixed
- config: add missing options #3882 (@calebdoxsey)
- postgres: return unknown records instead of skipping them #3876 (@calebdoxsey)
- config: use insecure skip verify if derived certificates are not used #3861 (@calebdoxsey)
- config: generate derived certificates instead of self-signed certificates #3860 (@calebdoxsey)
- identity: fix expired session deletion #3855 (@calebdoxsey)
- proxy: fix sign out redirect #3827 (@calebdoxsey)
- dashboard: fix missing avatar and logout menu #3819 (@calebdoxsey)
- autocert: use atomic pointer to allow nil #3816 (@calebdoxsey)
- webauthn: require session when accessing /.pomerium/webauthn #3814 (@calebdoxsey)
- oidc: fix token revocation #3810 (@calebdoxsey)
- jwt: require logged in user to return .pomerium/jwt #3807 (@calebdoxsey)
- storage: ignore removed fields when deserializing the data #3768 (@wasaga)
Dependency
- chore(deps): bump debian from
7ca0fec
to12931ad
#3904 (@dependabot[bot]) - chore(deps): bump distroless/base from
8ee3d86
to9eeffdc
#3903 (@dependabot[bot]) - chore(deps): bump golang from 1.19.4-buster to 1.19.5-buster #3902 (@dependabot[bot])
- chore(deps): bump alpine from
8914eb5
tof271e74
#3901 (@dependabot[bot]) - chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.7 to 1.18.8 #3900 (@dependabot[bot])
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.46 to 7.0.47 #3899 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.47.4 to 0.48.0 #3898 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.105.0 to 0.107.0 #3897 (@dependabot[bot])
- chore(deps): bump actions/setup-python from 4.4.0 to 4.5.0 #3896 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.30.6 to 4.30.8 #3895 (@dependabot[bot])
- chore(deps): bump docker/build-push-action from 3.2.0 to 3.3.0 #3894 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.51.0 to 1.52.0 #3893 (@dependabot[bot])
- chore(deps): bump distroless/base from
8848703
to8ee3d86
#3874 (@dependabot[bot]) - chore(deps): bump golang.org/x/crypto from 0.4.0 to 0.5.0 #3873 (@dependabot[bot])
- chore(deps): bump actions/download-artifact from 3.0.1 to 3.0.2 #3872 (@dependabot[bot])
- chore(deps): bump actions/upload-artifact from 3.1.1 to 3.1.2 #3871 (@dependabot[bot])
- chore(deps): bump actions/cache from 3.2.2 to 3.2.3 #3870 (@dependabot[bot])
- chore(deps): bump actions/setup-node from 3.5.1 to 3.6.0 #3869 (@dependabot[bot])
- chore(deps): bump github.com/coreos/go-oidc/v3 from 3.4.0 to 3.5.0 #3868 (@dependabot[bot])
- chore(deps): bump actions/checkout from 3.2.0 to 3.3.0 #3867 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.29.6 to 1.30.0 #3866 (@dependabot[bot])
- chore(deps): bump golang.org/x/oauth2 from 0.3.0 to 0.4.0 #3865 (@dependabot[bot])
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.45 to 7.0.46 #3864 (@dependabot[bot])
- chore(deps): bump golang.org/x/net from 0.4.0 to 0.5.0 #3863 (@dependabot[bot])
- chore(deps): bump luxon from 2.3.0 to 2.5.2 in /ui #3862 (@dependabot[bot])
- chore(deps): bump json5 from 2.2.0 to 2.2.3 in /ui #3853 (@dependabot[bot])
- chore(deps): bump actions/stale from 6.0.1 to 7.0.0 #3852 (@dependabot[bot])
- chore(deps): bump actions/cache from 3.0.11 to 3.2.2 #3851 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/procfs from 0.8.0 to 0.9.0 #3850 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.11 to 3.22.12 #3849 (@dependabot[bot])
- chore(deps): bump github.com/rs/cors from 1.8.2 to 1.8.3 #3848 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.29.5 to 1.29.6 #3847 (@dependabot[bot])
- chore(deps): bump golang from
e464bb0
to7c97bae
#3843 (@dependabot[bot]) - chore(deps): bump distroless/base from
9283685
to8848703
#3842 (@dependabot[bot]) - chore(deps): bump debian from
880aa5f
to7ca0fec
#3841 (@dependabot[bot]) - chore(deps): bump google.golang.org/api from 0.104.0 to 0.105.0 #3840 (@dependabot[bot])
- chore(deps): bump github.com...