Releases: pomerium/pomerium
Releases · pomerium/pomerium
v0.26.0
v0.26.0 Changes
v0.26.0 includes improved support for the Pomerium Zero beta.
Breaking
Changes that are expected to cause an incompatibility.
- config: remove deprecated client_ca option by @kenjenkins in #4918
- envoy: set explicit hostname on cluster endpoints by @kenjenkins in #5018
New
- authenticate: apply branding to sign out pages by @kenjenkins in #5044
- authorize: return non-html errors on denied by @calebdoxsey in #4904
- authorize: log service account user ID by @kenjenkins in #4964
- authorize: add support for rego print statements by @calebdoxsey in #5049
- config: implement direct response by @calebdoxsey in #4960
- config: add runtime flags by @wasaga in #5050
- config: disable gRPC ingress when address is the empty string by @calebdoxsey in #5058
- config: add support for TCP proxy chaining by @kenjenkins in #5053
- config: add support for stripping the port for matching routes by @calebdoxsey in #5085
- databroker: disable identity manager user refresh when hosted authenticate is used by @calebdoxsey in #4905
- envoy: only enable port reuse on linux by @calebdoxsey in #5066
- envoy: format envoy local replies by @calebdoxsey in #5067
- envoy: clean up temporary directory on start by @calebdoxsey in #4914
- identity: add enabler by @calebdoxsey in #5084
- identity: refactor identity manager by @calebdoxsey in #5091
- logging: less verbose logs by @calebdoxsey in #5040
- identity: dynamic authenticator registration by @calebdoxsey in #5105
- ppl: add client cert SAN match criteria by @kenjenkins in #4913
- ppl: add groups criterion by @calebdoxsey in #4916
- ui: fix page title by @calebdoxsey in #4957
- zero: add storage health check by @wasaga in #5074
- zero: upgrade oapi-codegen by @calebdoxsey in #4953
- zero: add service accounts support by @wasaga in #5031
- zero: lower log level by @calebdoxsey in #5065
- zero: add route reachability health check by @wasaga in #5093
- zero: health check building config from databroker source by @wasaga in #5104
Fixes
- authenticate: redirect to /.pomerium/signed_out when no signout redirect url is defined by @calebdoxsey in #5060
- envoy: exclude unauthorized access from local replies by @calebdoxsey in #5108
- kubernetes: fix impersonate group header by @calebdoxsey in #5090
- zero: add gRPC keep-alive by @wasaga in #4961
- zero: fix ticker usage by @calebdoxsey in #4969
- zero: fix bootstrap config path by @wasaga in #5035
Changed
- authenticate: rework CORS headers log entry by @kenjenkins in #4900
- authorize: result denied improvements by @calebdoxsey in #4952
- core: use context.WithoutCancel by @calebdoxsey in #4959
- core: switch to uber mock by @calebdoxsey in #5073
- core: move telemetry requestid to pkg directory by @calebdoxsey in #4911
- config: remove cookie secure option by @calebdoxsey in #4907
- config: fix typo by @wasaga in #4963
- envoy: enable TCP keepalive for internal clusters by @kenjenkins in #4902
- envoy: upgrade to v1.30.1 by @kenjenkins in #5080
- envoy: migrate deprecated overload setting by @kenjenkins in #5082
- envoy: address strconv.Atoi warnings by @kenjenkins in #5076
- envoy: preserve Go's max file limit for Envoy by @kenjenkins in #5102
- logging: use standard logger by @wasaga in #5096
- opa: update for rego 1.0 by @calebdoxsey in #4895
- ui: improve frontend build size by @calebdoxsey in #5109
- ui: adds upstream error page by @nhayfield in #5113
- zero: update oapi-codegen by @calebdoxsey in #4898
- zero: remove unused changeset code by @wasaga in #4915
- zero: simplify control loop lease retry code by @wasaga in #4979
- zero: reset back to inmem databroker if connection string is empty by @wasaga in #4955
- zero: add shared secret to the cluster bootstrap params by @wasaga in #5030
- zero: add common healthcheck package, zero reporter and first xds check by @wasaga in #5059
- zero: add checks for ability to save bootstrap parameter and bundle status reporting by @wasaga in #5064
- zero: only report healthcheck transitions by @wasaga in #5068
- zero: add user-agent to requests by @wasaga in #5078
- zero: add connect health check by @wasaga in #5086
Dependency Updates
- chore(deps): bump github.com/opencontainers/runc from 1.1.5 to 1.1.12 by @dependabot in #4919
- chore(deps): bump node from
8d0f16f
tofd01154
by @dependabot in #4921 - chore(deps): bump golang from 1.21.5-bookworm to 1.21.6-bookworm by @dependabot in #4920
- chore(deps): bump google.golang.org/api from 0.154.0 to 0.161.0 by @dependabot in #4938
- chore(deps): bump google.golang.org/grpc from 1.60.1 to 1.61.0 by @dependabot in #4948
- chore(deps): bump actions/upload-artifact from 4.0.0 to 4.3.0 by @dependabot in #4922
- chore(deps): bump docker/metadata-action from 5.4.0 to 5.5.1 by @dependabot in #4923
- chore(deps): bump google-github-actions/setup-gcloud from 2.0.1 to 2.1.0 by @dependabot in #4924
- chore(deps): bump google-github-actions/auth from 2.0.0 to 2.1.0 by @dependabot in #4925
- chore(deps): bump github.com/klauspost/compress from 1.17.4 to 1.17.5 by @dependabot in #4940
- chore(deps): bump busybox from
ba76950
to6d9ac92
in /.github by @dependabot in #4950 - chore(deps): bump github.com/prometheus/common from 0.45.0 to 0.46.0 by @dependabot in #4949
- chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc from 0.44.0 to 0.45.0 by @dependabot in #4947
- chore(deps): bump go.opentelemetry.io/otel/sdk/metric from 1.21.0 to 1.22.0 by @dependabot in #4946
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.12 to 3.24.1 by @dependabot in #4928
- chore(deps): bump github.com/google/uuid from 1.5.0 to 1.6.0 by @dependabot in #4933
- chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.24.0 to 1.24.1 by @dependabot in #4930
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.47.7 to 1.48.1 by @dependabot in #4939
- chore(deps): bump github.com/open-policy-agent/opa from 0.60.0 to 0.61.0 by @dependabot in #4937
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.26.2 to 1.26.6 by @dependabot in #4932
- chore(deps): bump github.com/jackc/pgx/v5 from 5.5.1 to 5.5.2 by @dependabot in #4944
- chore(deps): bump github.com/envoyproxy/go-control-plane from 0.11.1 to 0.12.0 by @dependabot in #4935
- chore(deps): bump git...
v0.25.2
v0.25.1
What's Changed
Changed
- connect: add gRPC keep-alive by @wasaga in #4962
- core/zero: fix ticker usage by @calebdoxsey in #5019
- core/ci: check docker base images by @calebdoxsey in #5028
- ci: bump Go to 1.21.8 in docker by @wasaga in #5027
Full Changelog: v0.25.0...v0.25.1
v0.25.0
v0.25.0 Changes
Breaking
Changes that are expected to cause an incompatibility.
- config: remove support for base64 encoded certificates in the
certificates
field. It may only contain file locations. See #4718 by @calebdoxsey for details. - config: remove
debug
option, always use json logs by @calebdoxsey in #4857
New
- Initial support for the Pomerium Zero closed beta is included in this release.
- authenticate: Refactoring identity authenticators to initiate redirect. For AWS Cognito, please allow the following sign out
https://{AUTHENTICATE_DOMAIN}/.pomerium/signed_out
URL. See more details in #4858 by @calebdoxsey.
Fixes
- config: add support for maps in environments, i.e.
env IDP_REQUEST_PARAMS='{"x":"y"}' ...
by @calebdoxsey in #4717 - core: fix graceful stop by @calebdoxsey in #4865
- databroker: prevent
nil
data in the databroker deleted records by @wasaga in #4736 - databroker: fix nil data unmarshal by @calebdoxsey in #4734
- databroker: hijack connections for notification listeners by @calebdoxsey in #4806
- databroker: REDIS backend has been removed in the previous release, #4768 by @calebdoxsey cleans up some remaining references.
- databroker: fix Patch() error handling for in-memory databroker backend by @kenjenkins in #4838
- envoy: Rewrite the remove_pomerium_cookie lua function to handle
=
inside of cookie values. by @calebdoxsey in #4641 - metrics: enforce
text/plain
metric format by @kenjenkins in #4774 - zero: group funcs that need run within a lease by @wasaga in #4862
Changed
- authenticate: Update the initialization logic for the authenticate, authorize, and proxy services to automatically select between the stateful authentication flow and the stateless authentication flow, depending on whether Pomerium is configured to use the hosted authenticate service. This change ensures a single IdP session is maintained for all user visits, enabling a single sign out behaviour for installations with IdP configured. @kenjenkins in #4765
- authenticate: move events.go out of internal/authenticateflow by @kenjenkins in #4852
- authenticate: remove extra UpdateUserInfo() call by @kenjenkins in #4813
- authenticate: getUserInfoData() cleanup by @kenjenkins in #4818
- authenticate: move stateless flow logic by @kenjenkins in #4820
- authenticate: move logAuthenticateEvent by @kenjenkins in #4821
- authenticate: add stateful flow by @kenjenkins in #4822
- authenticate: change how sessions are deleted by @kenjenkins in #4893
- authenticate: verify redirect in Callback test by @kenjenkins in #4894
- config: remove unnecessary authenticate route when using hosted authenticate (authenticate.pomerium.app) by @calebdoxsey in #4719
- config: Add a global config option for pass_identity_headers, in addition to existing per-route option by @calebdoxsey in #4720
- config: disable strict-transport-security header with staging autocert by @calebdoxsey in #4741
- config: no longer stub out HPKE public key fetch by @kenjenkins in #4853
- runtime: update to Go 1.21.4 by @kenjenkins in #4770
- runtime: automatically determine goroutine max cap by @calebdoxsey in #4766
- session: add unit tests for gRPC wrapper methods by @kenjenkins in #4713
- tests: renew test certs by @kenjenkins in #4738
- tests: add tool for renewing test certs by @kenjenkins in #4742
- tests: re-generate test configurations by @kenjenkins in #4816
- tests: check for profile cookies by @kenjenkins in #4847
- zero: rebase and merge feature/zero branch by @kenjenkins in #4745
- zero: fix restart behavior by @kenjenkins in #4753
- zero: use os.UserCacheDir for boostrap config path by @kenjenkins in #4744
- zero: better code reuse by @wasaga in #4758
- zero: set drwx------ for cache dir by @wasaga in #4764
- zero: support gzipped blobs by @wasaga in #4767
- zero: add linear probabilistic counter for MAU estimation by @wasaga in #4776
- zero: use production urls by default by @wasaga in #4814
- zero: add more verbose logging about background control loops by @wasaga in #4815
- zero: calculate DAU and MAU by @wasaga in #4810
- zero: add reporter by @wasaga in #4855
- zero: add support for managed mode from config file by @calebdoxsey in #4756
Dependency Updates
- bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 by @dependabot in #4760
- bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.40.0 to 1.42.1 by @dependabot in #4751
- bump github.com/google/go-cmp from 0.5.9 to 0.6.0 by @dependabot in #4685
- bump github.com/google/uuid from 1.3.1 to 1.4.0 by @dependabot in #4677
- bump golang.org/x/time from 0.3.0 to 0.5.0 by @dependabot in #4796
- bump github.com/mattn/go-isatty from 0.0.19 to 0.0.20 by @dependabot in #4801
- bump golang.org/x/net from 0.17.0 to 0.19.0 by @dependabot in #4792
- bump mikefarah/yq from 4.35.2 to 4.40.3 by @dependabot in #4780
- bump docker/build-push-action from 5.0.0 to 5.1.0 by @dependabot in #4777
- bump golang.org/x/sync from 0.3.0 to 0.5.0 by @dependabot in #4748
- bump distroless/base-debian12 from
d2890b2
to5e24c7a
by @dependabot in #4658 - bump github.com/minio/minio-go/v7 from 7.0.63 to 7.0.65 by @dependabot in #4812
- bump google-github-actions/auth from 1.1.1 to 2.0.0 by @dependabot in #4778
- bump node from
42a4d97
to5f21943
by @dependabot in #4659 - bump google.golang.org/api from 0.143.0 to 0.153.0 by @dependabot in #4835
- bump actions/setup-go from 4.1.0 to 5.0.0 by @dependabot in #4830
- bump golang from 1.21.4-bookworm to 1.21.5-bookworm by @dependabot in #4828
- bump mikefarah/yq from 4.40.3 to 4.40.4 by @dependabot in #4829
- bump github.com/caddyserver/certmagic from 0.19.2 to 0.20.0 by @dependabot in #4836
- bump github.com/yuin/gopher-lua from 1.1.0 to 1.1.1 by @dependabot in #4832
- bump docker/metadata-action from 5.0.0 to 5.3.0 by @dependabot in #4826
- bump actions/setup-python from 4.7.0 to 5.0.0 by @dependabot in #4827
- bump github.com/VictoriaMetrics/fastcache from 1.12.1 to 1.12.2 by @dependabot in #4802
- bump github.com/shirou/gopsutil/v3 from 3.23.9 to 3.23.11 by @dependabot in #4794
- bump github.com/gorilla/mux from 1.8.0 to 1.8.1 by @dependabot in #4790
- bump busybox from
3fbc632
to1ceb872
in /.github by @dependabot in #4824 - bump actions/stale from 8.0.0 to 9.0.0 by @dependabot in #4825
- bump github.com/klauspost/compress from 1.17.0 to 1.17.4 by @dependabot in #4798
- bump github.com/open-policy-agent/opa from 0.57.0 to 0.59.0 by @dependabot in #4799
- bump golang.org/x/oauth2 from 0.12.0 to 0.15.0 by @dependabot ...
v0.24.0
What's Changed
Breaking
- config: remove set_authorization_header option by @kenjenkins in #4489
- databroker: remove redis storage backend by @kenjenkins in #4699
- core/config: remove support for base64 encoded certificates by @backport-actions-token in #4725
New
Fixes
- core/identity: fix slow restart by @calebdoxsey in #4542
- core/authenticate: validate the identity profile by @calebdoxsey in #4545
- core/authorize: check for expired tokens by @calebdoxsey in #4543
- core/authenticate: refactor idp sign out by @calebdoxsey in #4582
- core/storage: fix nil data unmarshal by @backport-actions-token in #4739
Changed
- cryptutil: remove unused functions by @kenjenkins in #4541
- Add metric request error in log by @sylr in #4585
- Docs: remove tcp example by @ZPain8464 in #4616
- config: do not add route headers to global map by @kenjenkins in #4629
- identity: override TokenSource expiry behavior by @kenjenkins in #4632
- upgrade envoy to v1.28.0 by @kenjenkins in #4635
- identity: preserve session refresh schedule by @kenjenkins in #4633
- identity: rework session refresh error handling by @kenjenkins in #4638
- core/config: add config version, additional telemetry by @calebdoxsey in #4645
- protoutil: add OverwriteMasked method by @kenjenkins in #4651
- core/hpke: reduce memory usage from zstd by @calebdoxsey in #4650
- core/controlplane: apply configuration changes in a background thread by @calebdoxsey in #4649
- core/config: remove version by @calebdoxsey in #4653
- core/config: refactor change dispatcher by @calebdoxsey in #4657
- core/filemgr: use xxhash instead of sha512 for filenames by @calebdoxsey in #4697
- xds: add type url to log by @wasaga in #4696
- core/events: refactor the events.Target to use mutexes instead of a background goroutine by @calebdoxsey in #4700
- storage/inmemory: implement patch operation by @kenjenkins in #4654
- storage/postgres: implement patch operation by @kenjenkins in #4656
- databroker: add patch method by @kenjenkins in #4704
- proto: add id to certificate by @wasaga in #4706
- databroker: add utility recordset and changeset by @wasaga in #4701
- databroker: add reconciler by @wasaga in #4709
- core/config: refactor file watcher by @calebdoxsey in #4702
- rework session updates to use new patch method by @kenjenkins in #4705
- authorize: reuse policy evaluators where possible by @kenjenkins in #4710
- reconciler: allow custom comparison function by @backport-actions-token in #4727
- core/config: add support for maps in environments by @backport-actions-token in #4728
- authorize: build evaluators cache in parallel by @backport-actions-token in #4731
- core/envoy: fix remove cookie lua script by @backport-actions-token in #4732
- databroker: changeset: prevent nil data in the deleted records by @backport-actions-token in #4737
- integration: renew test certs by @backport-actions-token in #4740
Dependency Updates
- chore(deps): bump node from
850d8e1
tof41231b
by @dependabot in #4533 - chore(deps): bump google.golang.org/api from 0.134.0 to 0.138.0 by @dependabot in #4532
- chore(deps): bump github.com/jackc/pgx/v5 from 5.4.2 to 5.4.3 by @dependabot in #4531
- chore(deps): bump github.com/open-policy-agent/opa from 0.55.0 to 0.56.0 by @dependabot in #4530
- chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.4 to 2.0.6 by @dependabot in #4528
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.61 to 7.0.63 by @dependabot in #4527
- chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.20.0 to 1.21.0 by @dependabot in #4524
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.7 to 3.23.8 by @dependabot in #4519
- chore(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1 by @dependabot in #4517
- chore(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 by @dependabot in #4499
- chore(deps): bump actions/checkout from 3.5.3 to 3.6.0 by @dependabot in #4496
- chore(deps): bump github.com/caddyserver/certmagic from 0.19.1 to 0.19.2 by @dependabot in #4526
- chore(deps): bump github.com/openzipkin/zipkin-go from 0.4.1 to 0.4.2 by @dependabot in #4523
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.32 to 1.18.38 by @dependabot in #4522
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.38.1 to 1.38.5 by @dependabot in #4521
- chore(deps): bump actions/setup-go from 4.0.1 to 4.1.0 by @dependabot in #4497
- chore(deps): bump docker/setup-buildx-action from 2.9.1 to 2.10.0 by @dependabot in #4498
- chore(deps): bump go.uber.org/zap from 1.24.0 to 1.25.0 by @dependabot in #4516
- chore(deps): bump cloud.google.com/go/storage from 1.31.0 to 1.32.0 by @dependabot in #4518
- chore(deps): bump tibdex/github-app-token from 1.8.0 to 1.8.2 by @dependabot in #4505
- chore(deps): bump mikefarah/yq from 4.34.2 to 4.35.1 by @dependabot in #4503
- chore(deps): bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 by @dependabot in #4502
- chore(deps): bump actions/setup-node from 3.7.0 to 3.8.1 by @dependabot in #4501
- chore(deps): bump @fontsource/dm-mono from 4.5.2 to 5.0.11 in /ui by @dependabot in #4515
- chore(deps-dev): bump ts-node from 10.4.0 to 10.9.1 in /ui by @dependabot in #4279
- chore(deps): bump @fontsource/dm-sans from 5.0.3 to 5.0.11 in /ui by @dependabot in #4508
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.38 to 1.18.40 by @dependabot in #4581
- chore(deps): bump golang.org/x/oauth2 from 0.11.0 to 0.12.0 by @dependabot in #4580
- chore(deps): bump cloud.google.com/go/storage from 1.32.0 to 1.33.0 by @dependabot in #4579
- chore(deps): bump busybox from
caa382c
to3fbc632
in /.github by @dependabot in #4549 - chore(deps): bump node from
f41231b
to7923c64
by @dependabot in #4551 - chore(deps): bump docker/login-action from 2.2.0 to 3.0.0 by @dependabot in #4552
- chore(deps): bump docker/metadata-action from 4.6.0 to 5.0.0 by @dependabot in #4553
- chore(deps): bump docker/build-push-action from 4.1.1 to 5.0.0 by @dependabot in #4554
- chore(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by @dependabot in #4557
- chore(deps): bump coverallsapp/github-action from 2.2.1 to 2.2.3 by @dependabot in #4560
- chore(deps): bump docker/setup-qemu-action from 2.2.0 to 3.0.0 by @dependabot in #4559
- chore(deps): bump tibdex/github-app-token from 1.8.2 to 2.0.0 by @dependabot in #4556
- chore(deps): bump goreleaser/goreleaser-action from 4.4.0 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull...
v0.23.0
Changelog
v0.23.0 (2023-08-24)
New
- authorize: log id token claims separately from id token #4394 (@calebdoxsey)
- adds success colors for statuses in the 200 range #4314 (@nhayfield)
- config: add cookie_same_site option #4148 (@calebdoxsey)
- hpke: compress query string #4147 (@calebdoxsey)
- authenticate: add aws cognito #4137 (@wasaga)
Fixed
- autocert: suppress OCSP stapling errors #4371 (@calebdoxsey)
- config: validate log levels #4367 (@calebdoxsey)
- config: update logic for checking overlapping certificates #4216 (@calebdoxsey)
- databroker: fix fast forward #4192 (@calebdoxsey)
- databroker: sort configs #4190 (@calebdoxsey)
- envoy: set re2 limits very high #4187 (@calebdoxsey)
- fix WillHaveCertificateForServerName check to be strict match for derived cert name #4167 (@wasaga)
- envoyconfig: disable validation context when no client certificates are required #4151 (@calebdoxsey)
Dependency
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.27 to 1.18.32 #4436 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.36.0 to 1.38.1 #4435 (@dependabot[bot])
- chore(deps): bump docker/setup-buildx-action from 2.8.0 to 2.9.1 #4433 (@dependabot[bot])
- chore(deps): bump actions/setup-node from 3.6.0 to 3.7.0 #4432 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.34.1 to 4.34.2 #4431 (@dependabot[bot])
- chore(deps): bump coverallsapp/github-action from 2.2.0 to 2.2.1 #4430 (@dependabot[bot])
- chore(deps): bump actions/setup-python from 4.6.1 to 4.7.0 #4429 (@dependabot[bot])
- chore(deps): bump node from
3801c22
to850d8e1
#4416 (@dependabot[bot]) - chore(deps): bump github.com/minio/minio-go/v7 from 7.0.59 to 7.0.61 #4415 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.56.1 to 1.57.0 #4411 (@dependabot[bot])
- chore(deps): bump github.com/jackc/pgx/v5 from 5.4.1 to 5.4.2 #4409 (@dependabot[bot])
- chore(deps): bump github.com/go-chi/chi/v5 from 5.0.8 to 5.0.10 #4407 (@dependabot[bot])
- chore(deps): bump github.com/rs/zerolog from 1.29.1 to 1.30.0 #4406 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.54.0 to 0.55.0 #4404 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.130.0 to 0.134.0 #4403 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.6 to 3.23.7 #4402 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.18.2 to 0.19.1 #4401 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/procfs from 0.11.0 to 0.11.1 #4400 (@dependabot[bot])
- chore(deps): bump github.com/peterbourgon/ff/v3 from 3.3.2 to 3.4.0 #4399 (@dependabot[bot])
- dependencies: upgrade otel #4395 (@calebdoxsey)
- chore(deps): bump word-wrap from 1.2.3 to 1.2.4 in /ui #4369 (@dependabot[bot])
- chore(deps): bump semver from 6.3.0 to 6.3.1 in /ui #4350 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.128.0 to 0.130.0 #4348 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.18.0 to 0.18.2 #4334 (@dependabot[bot])
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.57 to 7.0.59 #4333 (@dependabot[bot])
- chore(deps): bump cloud.google.com/go/storage from 1.30.1 to 1.31.0 #4332 (@dependabot[bot])
- chore(deps): bump docker/setup-buildx-action from 2.7.0 to 2.8.0 #4330 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.0.1 to 1.0.2 #4329 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.5 to 3.23.6 #4328 (@dependabot[bot])
- chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.3 to 2.0.4 #4327 (@dependabot[bot])
- chore(deps): bump google.golang.org/protobuf from 1.30.0 to 1.31.0 #4325 (@dependabot[bot])
- chore(deps): bump github.com/jackc/pgx/v5 from 5.4.0 to 5.4.1 #4324 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.34.1 to 1.36.0 #4323 (@dependabot[bot])
- chore(deps): bump node from
05824f7
to3801c22
#4322 (@dependabot[bot]) - chore(deps): bump @fontsource/dm-sans from 4.5.1 to 5.0.3 in /ui #4307 (@dependabot[bot])
- chore(deps): bump react-feather from 2.0.9 to 2.0.10 in /ui #4306 (@dependabot[bot])
- chore(deps): bump markdown-to-jsx from 7.1.7 to 7.2.1 in /ui #4297 (@dependabot[bot])
- chore(deps): bump github.com/spf13/viper from 1.15.0 to 1.16.0 #4296 (@dependabot[bot])
- chore(deps): bump golang.org/x/sync from 0.2.0 to 0.3.0 #4294 (@dependabot[bot])
- chore(deps): bump github.com/jackc/pgx/v5 from 5.3.1 to 5.4.0 #4293 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.17.2 to 0.18.0 #4291 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.34.0 to 1.34.1 #4290 (@dependabot[bot])
- chore(deps-dev): bump typescript from 4.5.5 to 5.1.3 in /ui #4289 (@dependabot[bot])
- chore(deps): bump golang.org/x/oauth2 from 0.8.0 to 0.9.0 #4287 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.25 to 1.18.27 #4286 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.126.0 to 0.128.0 #4283 (@dependabot[bot])
- chore(deps-dev): bump @typescript-eslint/parser from 5.10.2 to 5.59.11 in /ui #4282 (@dependabot[bot])
- chore(deps): bump github.com/klauspost/compress from 1.16.5 to 1.16.6 #4281 (@dependabot[bot])
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.56 to 7.0.57 #4280 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.55.0 to 1.56.0 #4278 (@dependabot[bot])
- chore(deps): bump @emotion/styled from 11.6.0 to 11.11.0 in /ui #4277 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/procfs from 0.10.1 to 0.11.0 #4276 (@dependabot[bot])
- chore(deps): bump docker/login-action from 2.1.0 to 2.2.0 #4274 (@dependabot[bot])
- chore(deps): bump docker/metadata-action from 4.5.0 to 4.6.0 #4273 (@dependabot[bot])
- chore(deps): bump node from
f658ece
to05824f7
#4272 (@dependabot[bot]) - chore(deps): bump golang from
b0f97bf
toeb3f9ac
#4271 (@dependabot[bot]) - chore(deps): bump github.com/prometheus/client_golang from 1.15.1 to 1.16.0 [#4268...
v0.22.3
Changelog
v0.22.3 (2023-08-21)
Changed
- add integration test for https IP address route #4477 (@kenjenkins)
- github-actions: remove license check #4475 (@kenjenkins)
- add integration test for Pomerium JWT #4473 (@kenjenkins)
- envoy: configure upstream IP SAN match as needed #4382 (@backport-actions-token[bot])
- autocert: suppress OCSP stapling errors #4373 (@backport-actions-token[bot])
- backport #4368 (@calebdoxsey)
- ci: fix lint workflow (#4229) #4311 (@kenjenkins)
- pin to a debian:latest image for casource base image (#4250) #4310 (@kenjenkins)
- add JWT timestamp formatting workaround #4309 (@backport-actions-token[bot])
- config: update logic for checking overlapping certificates (#4216) #4217 (@calebdoxsey)
- authorize: populate issuer even when policy is nil #4213 (@backport-actions-token[bot])
- config: simplify default set response headers #4212 (@backport-actions-token[bot])
v0.22.2
Security
- This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.
What's Changed
- fix WillHaveCertificateForServerName check to be strict match for derived cert name by @backport-actions-token in #4169
- improve certificate matching performance by @backport-actions-token in #4188
- envoy: set re2 limits very high by @backport-actions-token in #4189
- databroker: sort configs by @backport-actions-token in #4191
- databroker: fix fast forward by @backport-actions-token in #4194
Full Changelog: v0.22.1...v0.22.2
v0.21.4
Security
- This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.
What's Changed
- autocert: fix certmagic cache logging by @backport-actions-token in #4135
- authorize: fix IsInternal check by @calebdoxsey in #4199
Full Changelog: v0.21.3...v0.21.4
v0.20.1
Security
- This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.
What's Changed
- storage: ignore removed fields when deserializing the data by @backport-actions-token in #3772
- jwt: require logged in user to return .pomerium/jwt by @backport-actions-token in #3809
- oidc: fix token revocation by @backport-actions-token in #3818
- autocert: use atomic pointer to allow nil by @backport-actions-token in #3817
- identity: fix expired session deletion by @backport-actions-token in #3857
- postgres: return unknown records instead of skipping them (#3876) by @calebdoxsey in #3877
- identity: fix nil reference error when there is no authenticator by @backport-actions-token in #3932
Full Changelog: v0.20.0...v0.20.1