Releases: pomerium/pomerium
Releases · pomerium/pomerium
v0.14.2
v0.14.1
v0.14.0
New
- databroker: store issued at timestamp with session #2173 (@calebdoxsey)
- config: add support for set_response_headers in a policy #2171 (@calebdoxsey)
- authenticate,proxy: add same site lax to cookies #2159 (@calebdoxsey)
- xds extended event #2158 (@wasaga)
- config: add client_crl #2157 (@calebdoxsey)
- config: add support for codec_type #2156 (@calebdoxsey)
- controlplane: save configuration events to databroker #2153 (@calebdoxsey)
- control plane: add request id to all error pages #2149 (@desimone)
- let pass custom dial opts #2144 (@wasaga)
- envoy: re-implement recommended defaults #2123 (@calebdoxsey)
- Drop tun.cfg.dstHost from jwtCacheKey #2115 (@bl0m1)
- config: remove validate side effects #2109 (@calebdoxsey)
- log context #2107 (@wasaga)
- databroker: add options for maximum capacity #2095 (@calebdoxsey)
- envoyconfig: move most bootstrap config to shared package #2088 (@calebdoxsey)
- envoy: refactor controlplane xds to new envoyconfig package #2086 (@calebdoxsey)
- config: rename headers to set_response_headers #2081 (@calebdoxsey)
- crypto: use actual bytes of shared secret, not the base64 encoded representation #2075 (@calebdoxsey)
- cryptutil: use bytes for hmac #2067 (@calebdoxsey)
- cryptutil: always use kek public id, add x509 support #2066 (@calebdoxsey)
- authorize: additional tracing, add benchmark for encryptor #2059 (@calebdoxsey)
- authorize: audit logging #2050 (@calebdoxsey)
- support host:port in metrics_address #2042 (@wasaga)
- databroker: return server version in Get #2039 (@wasaga)
- authorize: add databroker server and record version to result, force sync via polling #2024 (@calebdoxsey)
- protoutil: add generic transformer #2023 (@calebdoxsey)
- cryptutil: add envelope encryption w/key encryption key and data encryption key #2020 (@calebdoxsey)
- autocert: add metrics for renewal count, total and next expiration #2019 (@calebdoxsey)
- telemetry: add installation id #2017 (@calebdoxsey)
- config: use getters for certificates #2001 (@calebdoxsey)
- config: use getters for authenticate, signout and forward auth urls #2000 (@calebdoxsey)
- xds: use ALPN Auto config for upstream protocol when possible #1995 (@calebdoxsey)
- envoy: upgrade to v1.17.1 #1993 (@calebdoxsey)
- redis: add redis cluster support #1992 (@calebdoxsey)
- redis: add support for redis-sentinel #1991 (@calebdoxsey)
- authorize: set JWT to expire after 5 minutes #1980 (@calebdoxsey)
- identity: infer email from mail claim #1977 (@calebdoxsey)
- ping: identity and directory providers #1975 (@calebdoxsey)
- config: add rewrite_response_headers to protobuf #1962 (@calebdoxsey)
- config: add rewrite_response_headers option #1961 (@calebdoxsey)
- assets: use embed instead of statik #1960 (@calebdoxsey)
- config: log config source changes #1959 (@calebdoxsey)
- config: multiple endpoints for authorize and databroker #1957 (@calebdoxsey)
- telemetry: add process collector for envoy #1948 (@calebdoxsey)
- use build_info as liveness gauge metric #1940 (@wasaga)
- metrics: add TLS options #1939 (@calebdoxsey)
- identity: record metric for last refresh #1936 (@calebdoxsey)
- middleware: basic auth equalize lengths of input #1934 (@desimone)
- autocert: remove non-determinism #1932 (@calebdoxsey)
- config: add metrics_basic_auth option #1917 (@calebdoxsey)
- envoy: validate binary checksum #1908 (@calebdoxsey)
- config: support map of jwt claim headers #1906 (@calebdoxsey)
- Remove internal/protoutil. #1893 (@yegle)
- databroker: refactor databroker to sync all changes #1879 (@calebdoxsey)
- config: add CertificateFiles to FileWatcherSource list #1878 (@travisgroth)
- config: allow customization of envoy boostrap admin options #1872 (@calebdoxsey)
- proxy: implement pass-through for authenticate backend #1870 (@calebdoxsey)
- authorize: move headers and jwt signing to rego #1856 (@calebdoxsey)
Fixed
- deployment: update alpine debug image dependencies #2154 (@travisgroth)
- authorize: refactor store locking #2151 (@calebdoxsey)
- databroker: store server version in backend #2142 (@calebdoxsey)
- authorize: audit log had duplicate "message" key #2141 (@desimone)
- httputil: fix SPDY support with reverse proxy #2134 (@calebdoxsey)
- envoyconfig: fix metrics ingress listener name #2124 (@calebdoxsey)
- authorize: fix empty sub policy arrays #2119 (@calebdoxsey)
- authorize: fix unsigned URL #2118 (@calebdoxsey)
- authorize: support arbitrary jwt claims #2102 (@calebdoxsey)
- authorize: support arbitrary jwt claims #2106 (@github-actions[bot])
- xdsmgr: update resource versions on NACK #2093 (@calebdoxsey)
- config: don't change address value on databroker or authorize #2092 (@travisgroth)
- metrics_address should be optional parameter #2087 (@wasaga)
- propagate changes back from encrypted backend #2079 (@wasaga)
- config: use tls_custom_ca from policy when available #2077 (@calebdoxsey)
- databroker: remove unused installation id, close streams when backend is closed #2062 (@calebdoxsey)
- authenticate: fix default sign out url #2061 (@calebdoxsey)
- change require_proxy_protocol to use_proxy_protocol #2043 (@contrun)
- authorize: bypass data in rego for databroker data #2041 (@calebdoxsey)
- proxy: add nil check for fix-misdirected #2040 (@calebdoxsey)
- config: add headers to config proto #1996 (@calebdoxsey)
- Fix process cpu usage metric #1979 (@wasaga)
- cmd/pomerium: exit 0 for normal shutdown #1958 (@travisgroth)
- proxy: redirect to dashboard for logout #1944 (@calebdoxsey)
- config: fix redirect routes from protobuf #1930 (@travisgroth)
- google: fix ...
v0.14.0-rc2
New
- controlplane: save configuration events to databroker #2153 (@calebdoxsey)
- control plane: add request id to all error pages #2149 (@desimone)
- let pass custom dial opts #2144 (@wasaga)
- envoy: re-implement recommended defaults #2123 (@calebdoxsey)
- Drop tun.cfg.dstHost from jwtCacheKey #2115 (@bl0m1)
- config: remove validate side effects #2109 (@calebdoxsey)
- log context #2107 (@wasaga)
- databroker: add options for maximum capacity #2095 (@calebdoxsey)
Fixed
- deployment: update alpine debug image dependencies #2154 (@travisgroth)
- authorize: refactor store locking #2151 (@calebdoxsey)
- databroker: store server version in backend #2142 (@calebdoxsey)
- authorize: audit log had duplicate "message" key #2141 (@desimone)
- httputil: fix SPDY support with reverse proxy #2134 (@calebdoxsey)
- envoyconfig: fix metrics ingress listener name #2124 (@calebdoxsey)
- authorize: fix empty sub policy arrays #2119 (@calebdoxsey)
- authorize: fix unsigned URL #2118 (@calebdoxsey)
- authorize: support arbitrary jwt claims #2102 (@calebdoxsey)
Security
- deps: bump envoy to 1.17.2 #2113 (@travisgroth)
Documentation
- docs: mention alternative bearer token header format #2155 (@travisgroth)
- docs: upgrade notes on
allowed\_usersby ID #2133 (@travisgroth)
Dependency
- use cached envoy #2132 (@wasaga)
- chore(deps): bump github.com/prometheus/common from 0.20.0 to 0.21.0 #2130 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.5.1 to 0.6.0 #2129 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.44.0 to 0.45.0 #2128 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.12.0 to 0.13.0 #2074 (@dependabot[bot])
Deployment
- deployment: update get-envoy script and release hooks #2111 (@travisgroth)
- deployment: Publish OS packages to cloudsmith #2105 (@travisgroth)
Changed
- authorize: remove log #2122 (@calebdoxsey)
v0.14.0-rc1
Changelog
New
- envoyconfig: move most bootstrap config to shared package #2088 (@calebdoxsey)
- envoy: refactor controlplane xds to new envoyconfig package #2086 (@calebdoxsey)
- config: rename headers to set_response_headers #2081 (@calebdoxsey)
- crypto: use actual bytes of shared secret, not the base64 encoded representation #2075 (@calebdoxsey)
- directory: remove provider from user id #2068 (@calebdoxsey)
- cryptutil: use bytes for hmac #2067 (@calebdoxsey)
- cryptutil: always use kek public id, add x509 support #2066 (@calebdoxsey)
- authorize: additional tracing, add benchmark for encryptor #2059 (@calebdoxsey)
- authorize: audit logging #2050 (@calebdoxsey)
- support host:port in metrics_address #2042 (@wasaga)
- databroker: return server version in Get #2039 (@wasaga)
- authorize: add databroker server and record version to result, force sync via polling #2024 (@calebdoxsey)
- protoutil: add generic transformer #2023 (@calebdoxsey)
- cryptutil: add envelope encryption w/key encryption key and data encryption key #2020 (@calebdoxsey)
- autocert: add metrics for renewal count, total and next expiration #2019 (@calebdoxsey)
- telemetry: add installation id #2017 (@calebdoxsey)
- config: use getters for certificates #2001 (@calebdoxsey)
- config: use getters for authenticate, signout and forward auth urls #2000 (@calebdoxsey)
- xds: use ALPN Auto config for upstream protocol when possible #1995 (@calebdoxsey)
- envoy: upgrade to v1.17.1 #1993 (@calebdoxsey)
- redis: add redis cluster support #1992 (@calebdoxsey)
- redis: add support for redis-sentinel #1991 (@calebdoxsey)
- authorize: set JWT to expire after 5 minutes #1980 (@calebdoxsey)
- identity: infer email from mail claim #1977 (@calebdoxsey)
- ping: identity and directory providers #1975 (@calebdoxsey)
- config: add rewrite_response_headers to protobuf #1962 (@calebdoxsey)
- config: add rewrite_response_headers option #1961 (@calebdoxsey)
- assets: use embed instead of statik #1960 (@calebdoxsey)
- config: log config source changes #1959 (@calebdoxsey)
- config: multiple endpoints for authorize and databroker #1957 (@calebdoxsey)
- telemetry: add process collector for envoy #1948 (@calebdoxsey)
- use build_info as liveness gauge metric #1940 (@wasaga)
- metrics: add TLS options #1939 (@calebdoxsey)
- identity: record metric for last refresh #1936 (@calebdoxsey)
- middleware: basic auth equalize lengths of input #1934 (@desimone)
- autocert: remove non-determinism #1932 (@calebdoxsey)
- config: add metrics_basic_auth option #1917 (@calebdoxsey)
- envoy: validate binary checksum #1908 (@calebdoxsey)
- config: support map of jwt claim headers #1906 (@calebdoxsey)
- Remove internal/protoutil. #1893 (@yegle)
- databroker: refactor databroker to sync all changes #1879 (@calebdoxsey)
- config: add CertificateFiles to FileWatcherSource list #1878 (@travisgroth)
- config: allow customization of envoy boostrap admin options #1872 (@calebdoxsey)
- proxy: implement pass-through for authenticate backend #1870 (@calebdoxsey)
- authorize: move headers and jwt signing to rego #1856 (@calebdoxsey)
Fixed
- authorize: support arbitrary jwt claims #2102 (@calebdoxsey)
- xdsmgr: update resource versions on NACK #2093 (@calebdoxsey)
- config: don't change address value on databroker or authorize #2092 (@travisgroth)
- metrics_address should be optional parameter #2087 (@wasaga)
- propagate changes back from encrypted backend #2079 (@wasaga)
- config: use tls_custom_ca from policy when available #2077 (@calebdoxsey)
- databroker: remove unused installation id, close streams when backend is closed #2062 (@calebdoxsey)
- authenticate: fix default sign out url #2061 (@calebdoxsey)
- change require_proxy_protocol to use_proxy_protocol #2043 (@contrun)
- authorize: bypass data in rego for databroker data #2041 (@calebdoxsey)
- proxy: add nil check for fix-misdirected #2040 (@calebdoxsey)
- config: add headers to config proto #1996 (@calebdoxsey)
- Fix process cpu usage metric #1979 (@wasaga)
- cmd/pomerium: exit 0 for normal shutdown #1958 (@travisgroth)
- proxy: redirect to dashboard for logout #1944 (@calebdoxsey)
- config: fix redirect routes from protobuf #1930 (@travisgroth)
- google: fix default provider URL #1928 (@calebdoxsey)
- fix registry test #1911 (@wasaga)
- ci: pin goreleaser version #1900 (@travisgroth)
- onelogin: fix default scopes for v2 #1896 (@calebdoxsey)
- xds: fix misdirected script #1895 (@calebdoxsey)
- authenticate: validate origin of signout #1876 (@desimone)
- redis: fix deletion versioning #1871 (@calebdoxsey)
- options: header only applies to routes and authN #1862 (@desimone)
- controlplane: add global headers to virtualhost #1861 (@desimone)
- unique envoy cluster ids #1858 (@wasaga)
Security
- deps: bump envoy to 1.17.2 #2113 (@travisgroth)
- proxy: restrict programmatic URLs to localhost #2049 (@travisgroth)
- authenticate: validate signature on /.pomerium, /.pomerium/sign_in and /.pomerium/sign_out #2048 (@travisgroth)
Documentation
- docs: add threat model to security page #2097 (@desimone)
- docs: update community slack link #2063 (@travisgroth)
- Update local-oidc.md #1994 (@dharmendrakariya)
- ping: add documentation #1976 (@calebdoxsey)
- docs: add JWT Verification w/Envoy guide #1974 (@calebdoxsey)
- Update data-storage.md #1941 (@TanguyPatte)
- docs: fix query param name #1920 (@calebdoxsey)
- docs: add breaking sa changes in v0.13 #1919 (@desimone)
- docs: add v0.13 to docs site menu #1913 (@travisgroth)
- docs: update changelog for v0.13.0 [#1909](https:/...
v0.13.6
Envoy has released an update to fix several CVEs:
- CVE-2021-28682 (CVSS score 7.5, High): Envoy through 1.17.1, 1.16.2, 1.15.3, and 1.14.6 contains a remotely exploitable integer overflow via a very large grpc-timeout value causes undefined behavior.
- CVE-2021-28683 (CVSS score 7.5, High): Envoy through 1.17.1 and 1.16.2 contains a remotely exploitable crash in TLS when an unknown TLS alert code is received.
- CVE-2021-29258 (CVSS score 7.5, High): Envoy through 1.17.1, 1.16.2, 1.15.3, and 1.14.6 contains a remotely exploitable crash in Envoy's HTTP2 Metadata, when an empty METADATA map is sent.
This Pomerium patch updates the embedded version of envoy to 1.16.3.
Security
- deps: upgrade envoy to 1.16.3 #2096 (@travisgroth)
Documentation
- docs: update community slack link #2064 (@github-actions[bot])
v0.13.5
Fixed
- change require_proxy_protocol to use_proxy_protocol #2058 (@github-actions[bot])
v0.13.4
This release addresses two security issues in Pomerium:
GHSA-35vc-w93w-75c2 (CVE-2021-29651)
GHSA-fv82-r8qv-ch4v (CVE-2021-29652)
Security
- proxy: restrict programmatic URLs to localhost #2047 (@travisgroth)
- authenticate: validate signature on /.pomerium, /.pomerium/sign_in and /.pomerium/sign_out #2046 (@travisgroth)