v0.20.1

Security

• This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.

What's Changed

• storage: ignore removed fields when deserializing the data by @backport-actions-token in #3772
• jwt: require logged in user to return .pomerium/jwt by @backport-actions-token in #3809
• oidc: fix token revocation by @backport-actions-token in #3818
• autocert: use atomic pointer to allow nil by @backport-actions-token in #3817
• identity: fix expired session deletion by @backport-actions-token in #3857
• postgres: return unknown records instead of skipping them (#3876) by @calebdoxsey in #3877
• identity: fix nil reference error when there is no authenticator by @backport-actions-token in #3932

Full Changelog: v0.20.0...v0.20.1

v0.19.2

Security

• This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.

What's Changed

• postgres: return an empty list of addresses on dns errors by @backport-actions-token in #3638
• ppl: support special characters in claim keys by @backport-actions-token in #3640
• authorize: enforce service account expiration by @backport-actions-token in #3662
• config: disable envoy admin by default, expose stats via envoy route by @backport-actions-token in #3684
• fileutil: update watcher to use fsnotify and polling (#3663) by @calebdoxsey in #3685
• httputil: remove error details by @backport-actions-token in #3705

Full Changelog: v0.19.1...v0.19.2

v0.18.1

Security

• This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.

What's Changed

• publish to any-distro (#3570) by @calebdoxsey in #3571
• postgres: remove not null constraint on data column of record changes table by @backport-actions-token in #3595

Full Changelog: v0.18.0...v0.18.1

v0.17.4

Security

• This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.

Full Changelog: v0.17.3...v0.17.4

v0.22.1

What's Changed

• envoyconfig: disable validation context when no client certificates are required by @calebdoxsey in #4152

Full Changelog: v0.22.0...v0.22.1

v0.22.0

Changelog

v0.22.0 (2023-05-01)

Full Changelog

New

• config: default to authenticate.pomerium.app when authenticate url is not specified #4132 (@calebdoxsey)
• support loading route configuration via rds #4098 (@calebdoxsey)
• authenticate: have an option to trim the contents of the callback #4090 (@wasaga)
• urlutil: add version to query string #4028 (@calebdoxsey)
• authenticate: fix authenticate_internal_service_url for all in one #4003 (@wasaga)
• cryptutil: generate certificates from deriveca #3992 (@calebdoxsey)
• authenticate: only use csrf none for apple #3979 (@calebdoxsey)
• envoyconfig: preserve case of HTTP headers when using HTTP/1 #3956 (@calebdoxsey)

Fixed

• autocert: fix certmagic cache logging #4134 (@calebdoxsey)
• tls: wildcard catch-all cert must be at the end of cert list #4119 (@wasaga)
• store authenticate state on creation #4064 (@wasaga)
• authorize: move sign out and jwks urls to route, update issuer for JWT #4046 (@calebdoxsey)
• hpke: move published public keys to a new endpoint #4044 (@calebdoxsey)
• config: fix set_response_headers #4026 (@calebdoxsey)
• authorize: allow access to /.pomerium/webauthn when policy denies access #4015 (@calebdoxsey)
• authenticate: don't require a session for sign_out #4007 (@calebdoxsey)
• authenticate: fix identity provider id in encrypted query string #4006 (@calebdoxsey)
• derivecert: fix ecdsa code to be deterministic #3989 (@calebdoxsey)
• fix webauthn url #3983 (@calebdoxsey)
• lua: fix rewrite response headers to handle dashes in URLs #3980 (@calebdoxsey)
• authenticate: save the session cookie with a different name #3978 (@calebdoxsey)
• identity: fix nil reference error when there is no authenticator #3930 (@calebdoxsey)
• authenticate: always trust the passed in idp #3917 (@calebdoxsey)

Dependency

• chore(deps): bump github.com/google/go-jsonnet from 0.19.1 to 0.20.0 #4140 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.49.2 to 0.51.0 #4130 (@dependabot[bot])
• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.2 to 3.23.3 #4129 (@dependabot[bot])
• chore(deps): bump github.com/minio/minio-go/v7 from 7.0.50 to 7.0.52 #4128 (@dependabot[bot])
• chore(deps): bump github.com/rs/zerolog from 1.29.0 to 1.29.1 #4127 (@dependabot[bot])
• chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.19 to 1.18.21 #4126 (@dependabot[bot])
• chore(deps): bump coverallsapp/github-action from 2.1.0 to 2.1.2 #4124 (@dependabot[bot])
• chore(deps): bump actions/setup-python from 4.5.0 to 4.6.0 #4123 (@dependabot[bot])
• chore(deps): bump docker/metadata-action from 4.3.0 to 4.4.0 #4122 (@dependabot[bot])
• chore(deps): bump google-github-actions/auth from 1.0.0 to 1.1.0 #4121 (@dependabot[bot])
• dependencies: upgrade go and envoy #4116 (@calebdoxsey)
• chore(deps): bump debian from d4bbca2 to 1fbdbcf #4115 (@dependabot[bot])
• chore(deps): bump golang from 413cd9e to 73c225b #4114 (@dependabot[bot])
• chore(deps): bump golang.org/x/oauth2 from 0.6.0 to 0.7.0 #4113 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.116.0 to 0.118.0 #4112 (@dependabot[bot])
• chore(deps): bump github.com/ory/dockertest/v3 from 3.9.1 to 3.10.0 #4111 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/client_golang from 1.14.0 to 1.15.0 #4110 (@dependabot[bot])
• chore(deps): bump mikefarah/yq from 4.33.1 to 4.33.3 #4109 (@dependabot[bot])
• chore(deps): bump actions/checkout from 3.5.0 to 3.5.2 #4108 (@dependabot[bot])
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.5 to 1.31.2 #4106 (@dependabot[bot])
• chore(deps): bump golang.org/x/crypto from 0.7.0 to 0.8.0 #4105 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.114.0 to 0.116.0 #4104 (@dependabot[bot])
• chore(deps): bump golang from 1.20.2-buster to 1.20.3-buster #4103 (@dependabot[bot])
• chore(deps): bump distroless/base from 5812871 to 357bc96 #4102 (@dependabot[bot])
• chore(deps): bump github.com/docker/docker from 23.0.1+incompatible to 23.0.3+incompatible #4101 (@dependabot[bot])
• chore(deps): bump coverallsapp/github-action from 2.0.0 to 2.1.0 #4100 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.112.0 to 0.114.0 #4096 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.50.1 to 0.51.0 #4093 (@dependabot[bot])
• chore(deps): bump github.com/opencontainers/runc from 1.1.2 to 1.1.5 #4088 (@dependabot[bot])
• chore(deps): bump debian from c1c4bb9 to d4bbca2 #4085 (@dependabot[bot])
• chore(deps): bump golang from 57dbdd5 to 97c3e1d #4084 (@dependabot[bot])
• chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.10.0 to 0.10.1 #4083 (@dependabot[bot])
• chore(deps): bump google.golang.org/grpc from 1.53.0 to 1.54.0 #4082 (@dependabot[bot])
• chore(deps): bump github.com/minio/minio-go/v7 from 7.0.47 to 7.0.50 #4081 (@dependabot[bot])
• chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.18 to 1.18.19 #4080 (@dependabot[bot])
• chore(deps): bump mikefarah/yq from 4.32.2 to 4.33.1 #4079 (@dependabot[bot])
• chore(deps): bump actions/stale from 7.0.0 to 8.0.0 #4077 (@dependabot[bot])
• chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.9.1 to 0.10.0 #4074 (@dependabot[bot])
• chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.1 to 2.0.2 #4073 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.50.0 to 0.50.1 #4072 (@dependabot[bot])
• chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.15 to 1.18.18 #4070 (@dependabot[bot])
• chore(deps): bump coverallsapp/github-action from 1.2.4 to 2.0.0 #4069 (@dependabot[bot])
• chore(deps): bump actions/checkout from 3.3.0 to 3.4.0 #4068 (@dependabot[bot])
• chore(deps): bump actions/setup-go from 3.5.0 to 4.0.0 #4067 (@dependabot[bot])
• chore(deps): bump mikefarah/yq from 4.31.2 to 4.32.2 #4066 (@dependabot[bot])
• chore(deps): bump golang from 1.20.1-buster to 1.20.2-buster #4060 (@dependabot[bot])
• chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.17.5 to 1.17.6 #4059 (@dependabot[bot])
  -...

v0.21.3

Changelog

v0.21.3 (2023-03-23)

Full Changelog

Changed

• ci: build version branch images #4062 (@backport-actions-token[bot])
• authorize: move sign out and jwks urls to route, update issuer for JWT #4049 (@backport-actions-token[bot])
• hpke: move published public keys to a new endpoint #4048 (@backport-actions-token[bot])

v0.21.2

Changelog

v0.21.2 (2023-02-23)

Full Changelog

Changed

• authenticate: fix identity provider id in encrypted query string #4011 (@backport-actions-token[bot])
• authenticate: fix callback handler for split mode #4010 (@backport-actions-token[bot])
• authenticate: don't require a session for sign_out #4009 (@backport-actions-token[bot])
• authenticate: fix authenticate_internal_service_url for all in one #4005 (@backport-actions-token[bot])
• derivecert: fix ecdsa code to be deterministic #3991 (@backport-actions-token[bot])
• fix webauthn url #3988 (@backport-actions-token[bot])
• webauthn: only return known device credentials that match the given type #3987 (@backport-actions-token[bot])

v0.21.1

What's Changed

• authenticate: save the session cookie with a different name by @calebdoxsey in #3984
• lua: fix rewrite response headers to handle dashes in URLs by @calebdoxsey in #3986

Full Changelog: v0.21.0...v0.21.1

v0.21.0

Changelog

v0.21.0 (2023-02-09)

Full Changelog

Changed

• docker: switch to debian #3939 (@backport-actions-token[bot])
• identity: fix nil reference error when there is no authenticator #3933 (@backport-actions-token[bot])
• authenticate: always trust the passed in idp #3931 (@backport-actions-token[bot])
• add google cloud creds to ignore #3907 (@backport-actions-token[bot])
• tls_derive: rename for consistency #3905 (@wasaga)
• envoyconfig: clean up filter chain construction #3844 (@calebdoxsey)
• use tlsClientConfig instead of custom dialer #3830 (@wasaga)
• controlplane: remove gorilla handlers dependency #3813 (@calebdoxsey)
• events: remove xds configuraton update #3792 (@wasaga)

Breaking

• proxy: add userinfo and webauthn endpoints #3755 (@calebdoxsey)
• remove forward auth #3628 (@calebdoxsey)

New

• scripts: update get-envoy script to download all binaries #3886 (@calebdoxsey)
• explicitly list gRPC services accessible via the gRPC listener #3879 (@wasaga)
• authenticate: add additional error details for hmac errors #3878 (@calebdoxsey)
• auto tls #3856 (@wasaga)
• mTLS: allow gRPC TLS for all in one #3854 (@wasaga)
• authorize: log check() error #3846 (@wasaga)
• config: add support for extended TCP route URLs #3845 (@calebdoxsey)
• derive CA from pre-shared key #3815 (@wasaga)
• httputil: ignore errors < 400 #3781 (@calebdoxsey)
• authenticate: implement hpke-based login flow #3779 (@calebdoxsey)
• identity: add identity profile #3777 (@calebdoxsey)
• urlutil: add time validation functions #3776 (@calebdoxsey)
• httputil: add cookie chunker #3775 (@calebdoxsey)
• config: add option for tls renegotiation #3773 (@calebdoxsey)
• hpke: add HPKE key to JWKS endpoint #3762 (@calebdoxsey)
• hpke: add hpke package #3761 (@calebdoxsey)

Fixed

• config: add missing options #3882 (@calebdoxsey)
• postgres: return unknown records instead of skipping them #3876 (@calebdoxsey)
• config: use insecure skip verify if derived certificates are not used #3861 (@calebdoxsey)
• config: generate derived certificates instead of self-signed certificates #3860 (@calebdoxsey)
• identity: fix expired session deletion #3855 (@calebdoxsey)
• proxy: fix sign out redirect #3827 (@calebdoxsey)
• dashboard: fix missing avatar and logout menu #3819 (@calebdoxsey)
• autocert: use atomic pointer to allow nil #3816 (@calebdoxsey)
• webauthn: require session when accessing /.pomerium/webauthn #3814 (@calebdoxsey)
• oidc: fix token revocation #3810 (@calebdoxsey)
• jwt: require logged in user to return .pomerium/jwt #3807 (@calebdoxsey)
• storage: ignore removed fields when deserializing the data #3768 (@wasaga)

Dependency

• chore(deps): bump debian from 7ca0fec to 12931ad #3904 (@dependabot[bot])
• chore(deps): bump distroless/base from 8ee3d86 to 9eeffdc #3903 (@dependabot[bot])
• chore(deps): bump golang from 1.19.4-buster to 1.19.5-buster #3902 (@dependabot[bot])
• chore(deps): bump alpine from 8914eb5 to f271e74 #3901 (@dependabot[bot])
• chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.7 to 1.18.8 #3900 (@dependabot[bot])
• chore(deps): bump github.com/minio/minio-go/v7 from 7.0.46 to 7.0.47 #3899 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.47.4 to 0.48.0 #3898 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.105.0 to 0.107.0 #3897 (@dependabot[bot])
• chore(deps): bump actions/setup-python from 4.4.0 to 4.5.0 #3896 (@dependabot[bot])
• chore(deps): bump mikefarah/yq from 4.30.6 to 4.30.8 #3895 (@dependabot[bot])
• chore(deps): bump docker/build-push-action from 3.2.0 to 3.3.0 #3894 (@dependabot[bot])
• chore(deps): bump google.golang.org/grpc from 1.51.0 to 1.52.0 #3893 (@dependabot[bot])
• chore(deps): bump distroless/base from 8848703 to 8ee3d86 #3874 (@dependabot[bot])
• chore(deps): bump golang.org/x/crypto from 0.4.0 to 0.5.0 #3873 (@dependabot[bot])
• chore(deps): bump actions/download-artifact from 3.0.1 to 3.0.2 #3872 (@dependabot[bot])
• chore(deps): bump actions/upload-artifact from 3.1.1 to 3.1.2 #3871 (@dependabot[bot])
• chore(deps): bump actions/cache from 3.2.2 to 3.2.3 #3870 (@dependabot[bot])
• chore(deps): bump actions/setup-node from 3.5.1 to 3.6.0 #3869 (@dependabot[bot])
• chore(deps): bump github.com/coreos/go-oidc/v3 from 3.4.0 to 3.5.0 #3868 (@dependabot[bot])
• chore(deps): bump actions/checkout from 3.2.0 to 3.3.0 #3867 (@dependabot[bot])
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.29.6 to 1.30.0 #3866 (@dependabot[bot])
• chore(deps): bump golang.org/x/oauth2 from 0.3.0 to 0.4.0 #3865 (@dependabot[bot])
• chore(deps): bump github.com/minio/minio-go/v7 from 7.0.45 to 7.0.46 #3864 (@dependabot[bot])
• chore(deps): bump golang.org/x/net from 0.4.0 to 0.5.0 #3863 (@dependabot[bot])
• chore(deps): bump luxon from 2.3.0 to 2.5.2 in /ui #3862 (@dependabot[bot])
• chore(deps): bump json5 from 2.2.0 to 2.2.3 in /ui #3853 (@dependabot[bot])
• chore(deps): bump actions/stale from 6.0.1 to 7.0.0 #3852 (@dependabot[bot])
• chore(deps): bump actions/cache from 3.0.11 to 3.2.2 #3851 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/procfs from 0.8.0 to 0.9.0 #3850 (@dependabot[bot])
• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.11 to 3.22.12 #3849 (@dependabot[bot])
• chore(deps): bump github.com/rs/cors from 1.8.2 to 1.8.3 #3848 (@dependabot[bot])
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.29.5 to 1.29.6 #3847 (@dependabot[bot])
• chore(deps): bump golang from e464bb0 to 7c97bae #3843 (@dependabot[bot])
• chore(deps): bump distroless/base from 9283685 to 8848703 #3842 (@dependabot[bot])
• chore(deps): bump debian from 880aa5f to 7ca0fec #3841 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.104.0 to 0.105.0 #3840 (@dependabot[bot])
• chore(deps): bump github.com...