Core Changelog
Please refer to the upgrade guide before upgrading.
Versioning
Pomerium uses Semantic Versioning. In practice, this means for a given version number vMAJOR.MINOR.PATCH (for example, v0.1.0
):
- MAJOR indicates an incompatible API change
- MINOR indicates a new, backwards-compatible functionality
- PATCH indicates a backwards-compatible bug fix
As Pomerium is still pre-v1.0.0
, you should expect breaking changes between releases.
v0.27.2 (2024-10-22)
Pomerium Zero
- Add a Pomerium Core to Pomerium Zero import tool, allowing you to bring your existing Pomerium configuration into Pomerium Zero.
- Add active users reporting, for self-serve billing in Pomerium Zero. End user information is pseudonymized and reported to Pomerium Zero, in order to bill paid organizations according to the number of active users across the organization as a whole.
Fixed
- Improve handling of transient errors from the databroker.
- Fix a data race in the in-memory databroker storage backend.
- Remove an incorrect “unknown config option” warning message when the
set_response_headers
config file key is present.
Changes
- For any routes where the Kubernetes Service Account Token option is set, allow both websockets and SPDY connection upgrades. (One of these is necessary for commands like
kubectl exec
andkubectl port-forward
to work correctly, depending on your version of Kubernetes.) - Previously, the Log Level option could affect the default value of the Authorize Log Fields option: setting the main log level to
debug
would change the default set of authorize log fields to includeheaders
(logging all HTTP request headers). This undocumented behavior has been removed, and these two options are now entirely independent. - Remove some currently-unused configuration options:
databroker_storage_cert_file
databroker_storage_key_file
databroker_storage_ca_file
databroker_storage_tls_skip_verify
grpc_client_dns_roundrobin
- Various other minor code clean-up.
v0.27.1 (2024-09-26)
Pomerium v0.27.1 includes a fix to the databroker service API authorization logic. Certain service account tokens from Pomerium Zero or Pomerium Enterprise could grant unintended authorization to the databroker service API. See the CVE-2024-47616 for more information.
Security
- Additional validation checks for gRPC API authorization. This update resolves a security vulnerability that we believe affects only certain Pomerium Enterprise and Pomerium Zero deployments.
Fixed
- The user info dashboard page (at URL path
/.pomerium/
) now provides user info also for the programmatic access flow (see issue #5246). - The user info dashboard page now correctly displays group membership info for Pomerium Enterprise deployments with directory sync configured.
v0.27.0 (2024-09-10)
What's Changed
Breaking
- proxy: deprecate the /.pomerium/jwt endpoint by @kenjenkins in https://github.com/pomerium/pomerium/pull/5254
- zero/k8s: use Deployment instead of StatefulSet by @wasaga in https://github.com/pomerium/pomerium/pull/5248
New
- authorize: use uuid for jti, current time for iat and exp by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5147
- config: add
databroker_storage_connection_string_file
by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5242 - config: add mTLS UserPrincipalName SAN match by @kenjenkins in https://github.com/pomerium/pomerium/pull/5177
- config: add runtime flag to allow disabling config hot-reload (#5079) by @kralicky in https://github.com/pomerium/pomerium/pull/5112
- envoy: allow TLS 1.3 for upstream connections by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5263
- envoy: log TLS connection failures in the mTLS
reject_connection
mode by @kralicky in https://github.com/pomerium/pomerium/pull/5210 - envoy: resource monitoring & overload manager configuration by @kralicky in https://github.com/pomerium/pomerium/pull/5106
- envoy: support http2 prior knowledge for insecure upstream targets (h2c://) by @kralicky in https://github.com/pomerium/pomerium/pull/5205
- ui: add "Policy ID" label to error details page by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5127
- ui: add request id to upstream error page by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5166
- ui: add user info link to error page by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5158
- ui: user info dashboard improvements by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5128
- zero/connect: add re-run health checks command by @wasaga in https://github.com/pomerium/pomerium/pull/5219
- zero/k8s: write bootstrap configuration to a secret by @kralicky in https://github.com/pomerium/pomerium/pull/5114
Fixes
- authorize: require new login when authenticate url changes by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5165
- controlplane: avoid calling Close on nil listener by @kenjenkins in https://github.com/pomerium/pomerium/pull/5156
- databroker/leaser: set timeout on ReleaseLease by @wasaga in https://github.com/pomerium/pomerium/pull/5208
- logging: add support for using the standard grpc env vars to control log severity and verbosity by @kralicky in https://github.com/pomerium/pomerium/pull/5120
- session: do not invalidate based on ID token by @kenjenkins in https://github.com/pomerium/pomerium/pull/5182
- ui: fix cycle in profile data by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5168
- ui: set Cache-Control: no-cache, tweak sign-out cancel button behavior by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5264
- zero/connect: ignore unknown message types by @wasaga in https://github.com/pomerium/pomerium/pull/5223
- zero/health-checks: fix early checks sometimes missing by @wasaga in https://github.com/pomerium/pomerium/pull/5229
- zero/health-checks: zero route availability improvements by @wasaga in https://github.com/pomerium/pomerium/pull/5111
Changed
- authenticate: rework session ID token handling by @kenjenkins in https://github.com/pomerium/pomerium/pull/5178
- authorize: add request-id to error messages by @wasaga in https://github.com/pomerium/pomerium/pull/5267
- ci: do not include timestamp into buildmeta by @wasaga in https://github.com/pomerium/pomerium/pull/5215
- config: optimize policy iterators by @kralicky in https://github.com/pomerium/pomerium/pull/5184
- config: sort runtime flags, name consistency by @kenjenkins in https://github.com/pomerium/pomerium/pull/5255
- envoy: upgrade to v1.31.0 by @kenjenkins in https://github.com/pomerium/pomerium/pull/5183
- github: update README.md by @cmo-pomerium in https://github.com/pomerium/pomerium/pull/5163
- github: update README.md by @nikhil-pomerium in https://github.com/pomerium/pomerium/pull/5253
- go: update to Go 1.23 by @kralicky in https://github.com/pomerium/pomerium/pull/5216
- logging: change log.Error function by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5251
- logging: convert warnings to info or error by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5235
- proto: update protoc dependencies by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5218
- ui: update logo by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5249
- zero: refactor controller by @wasaga in https://github.com/pomerium/pomerium/pull/5134
- zero/api: generate error methods for response types by @kralicky in https://github.com/pomerium/pomerium/pull/5252
- zero/api: reset token and url cache if 401 is received by @wasaga in https://github.com/pomerium/pomerium/pull/5256
- zero/api: switch to github.com/oapi-codegen/oapi-codegen by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5226
- zero/bundle-download: update metadata by @wasaga in https://github.com/pomerium/pomerium/pull/5212
- zero/cmd: make it more evident what caused shutdown by @wasaga in https://github.com/pomerium/pomerium/pull/5209
- zero/connect: add telemetry request command by @wasaga in https://github.com/pomerium/pomerium/pull/5131
- zero/k8s: set externalTrafficPolicy: Local by @wasaga in https://github.com/pomerium/pomerium/pull/5266
- zero/telemetry: add hostname and version by @wasaga in https://github.com/pomerium/pomerium/pull/5146
- zero/telemetry: add prometheus streaming converter to OTLP by @wasaga in https://github.com/pomerium/pomerium/pull/5132
- zero/telemetry: collect limited core metrics by @wasaga in https://github.com/pomerium/pomerium/pull/5142
- zero/telemetry: internal envoy stats scraper and metrics producer by @wasaga in https://github.com/pomerium/pomerium/pull/5136
- zero/telemetry: refactor telemetry and controller by @wasaga in https://github.com/pomerium/pomerium/pull/5135
Dependency Updates
- bump busybox from
5eef5ed
to9ae97d3
in /.github in the docker group by @dependabot in https://github.com/pomerium/pomerium/pull/5161 - bump busybox from
9ae97d3
to8274294
in /.github in the docker group by @dependabot in https://github.com/pomerium/pomerium/pull/5260 - bump braces from 3.0.2 to 3.0.3 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/5139
- bump the docker group in /.github with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5124
- bump the docker group in /.github with 2 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5202
- bump the docker group with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5123
- bump the docker group with 2 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5159
- bump the docker group with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5201
- bump the docker group with 2 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5258
- bump the github-actions group with 9 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5121
- bump the github-actions group with 4 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5160
- bump the github-actions group with 9 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5200
- bump the github-actions group with 6 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5259
- bump the go group with 27 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5122
- bump the go group with 21 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5162
- bump the go group across 1 directory with 26 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5207
- bump the go group across 1 directory with 28 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5262
- bump github.com/docker/docker from 27.0.3+incompatible to 27.1.0+incompatible by @dependabot in https://github.com/pomerium/pomerium/pull/5193
- bump github.com/opencontainers/runc from 1.1.12 to 1.1.14 by @dependabot in https://github.com/pomerium/pomerium/pull/5261
- bump google.golang.org/grpc from 1.64.0 to 1.64.1 by @dependabot in https://github.com/pomerium/pomerium/pull/5169
- bump micromatch from 4.0.5 to 4.0.8 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/5240
- replace usages of x/exp/maps + bump golang.org/x/exp by @kralicky in https://github.com/pomerium/pomerium/pull/5221
v0.26.1 (2024-07-01)
Pomerium v0.26.1 includes multiple security updates:
-
The Pomerium user info page (at
/.pomerium
) unintentionally included serialized OAuth 2.0 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users, and have now been removed. For more details, please see the official CVE statement.Credit to Vadim Sheydaev, also known as Enr1g for reporting this issue.
-
This release includes an update from Envoy 1.30.1 to Envoy 1.30.3 to address the following security issues:
- CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream
- CVE-2024-34363: Crash due to uncaught nlohmann JSON exception
- CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components
- CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()
- CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()
- CVE-2024-32976: Endless loop while decompressing Brotli data with extra input
- CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode
- CVE-2024-38525: datadog tracer does not handle trace headers with unicode characters
-
The release also removes a transitive dependency on the gopkg.in/square/go-jose.v2 library which is vulnerable to https://github.com/advisories/GHSA-c5q2-7r4c-mv6g.
Security
- envoy: upgrade to v1.30.3 by @kenjenkins in https://github.com/pomerium/pomerium/pull/5155
- userinfo: remove excess userinfo data by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5148
- update the pomerium/webauthn dependency (#5125) by @kenjenkins in https://github.com/pomerium/pomerium/pull/5157
Fixed
- autocert: fix filter chain, handshake by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5151
v0.26.0 (2024-05-17)
Breaking
Changes that are expected to cause an incompatibility.
- config: remove deprecated client_ca option by @kenjenkins in https://github.com/pomerium/pomerium/pull/4918
- envoy: set explicit hostname on cluster endpoints by @kenjenkins in https://github.com/pomerium/pomerium/pull/5018
New
- authenticate: apply branding to sign out pages by @kenjenkins in https://github.com/pomerium/pomerium/pull/5044
- authorize: add support for rego print statements by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5049
- authorize: log service account user ID by @kenjenkins in https://github.com/pomerium/pomerium/pull/4964
- authorize: return non-html errors on denied by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4904
- config: add runtime flags by @wasaga in https://github.com/pomerium/pomerium/pull/5050
- config: add support for TCP proxy chaining by @kenjenkins in https://github.com/pomerium/pomerium/pull/5053
- config: add support for stripping the port for matching routes by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5085
- config: disable gRPC ingress when address is the empty string by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5058
- config: implement direct response by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4960
- databroker: disable identity manager user refresh when hosted authenticate is used by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4905
- envoy: clean up temporary directory on start by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4914
- envoy: format envoy local replies by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5067
- envoy: only enable port reuse on linux by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5066
- identity: add enabler by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5084
- identity: dynamic authenticator registration by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5105
- identity: refactor identity manager by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5091
- logging: less verbose logs by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5040
- ppl: add client cert SAN match criteria by @kenjenkins in https://github.com/pomerium/pomerium/pull/4913
- ppl: add groups criterion by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4916
- ui: fix page title by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4957
- zero: add route reachability health check by @wasaga in https://github.com/pomerium/pomerium/pull/5093
- zero: add service accounts support by @wasaga in https://github.com/pomerium/pomerium/pull/5031
- zero: add storage health check by @wasaga in https://github.com/pomerium/pomerium/pull/5074
- zero: health check building config from databroker source by @wasaga in https://github.com/pomerium/pomerium/pull/5104
- zero: lower log level by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5065
- zero: upgrade oapi-codegen by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4953
Fixed
- authenticate: redirect to /.pomerium/signed_out when no signout redirect url is defined by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5060
- envoy: exclude unauthorized access from local replies by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5108
- kubernetes: fix impersonate group header by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5090
- zero: add gRPC keep-alive by @wasaga in https://github.com/pomerium/pomerium/pull/4961
- zero: fix bootstrap config path by @wasaga in https://github.com/pomerium/pomerium/pull/5035
- zero: fix ticker usage by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4969
Changed
- authenticate: rework CORS headers log entry by @kenjenkins in https://github.com/pomerium/pomerium/pull/4900
- authorize: result denied improvements by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4952
- config: remove cookie secure option by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4907
- config: fix typo by @wasaga in https://github.com/pomerium/pomerium/pull/4963
- core: move telemetry requestid to pkg directory by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4911
- core: switch to uber mock by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5073
- core: use context.WithoutCancel by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4959
- envoy: address strconv.Atoi warnings by @kenjenkins in https://github.com/pomerium/pomerium/pull/5076
- envoy: enable TCP keepalive for internal clusters by @kenjenkins in https://github.com/pomerium/pomerium/pull/4902
- envoy: migrate deprecated overload setting by @kenjenkins in https://github.com/pomerium/pomerium/pull/5082
- envoy: preserve Go's max file limit for Envoy by @kenjenkins in https://github.com/pomerium/pomerium/pull/5102
- envoy: upgrade to v1.30.1 by @kenjenkins in https://github.com/pomerium/pomerium/pull/5080
- logging: use standard logger by @wasaga in https://github.com/pomerium/pomerium/pull/5096
- opa: update for rego 1.0 by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4895
- ui: adds upstream error page by @nhayfield in https://github.com/pomerium/pomerium/pull/5113
- ui: improve frontend build size by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5109
- zero: add user-agent to requests by @wasaga in https://github.com/pomerium/pomerium/pull/5078
- zero: add checks for ability to save bootstrap parameter and bundle status reporting by @wasaga in https://github.com/pomerium/pomerium/pull/5064
- zero: add connect health check by @wasaga in https://github.com/pomerium/pomerium/pull/5086
- zero: add common healthcheck package, zero reporter and first xds check by @wasaga in https://github.com/pomerium/pomerium/pull/5059
- zero: add shared secret to the cluster bootstrap params by @wasaga in https://github.com/pomerium/pomerium/pull/5030
- zero: only report healthcheck transitions by @wasaga in https://github.com/pomerium/pomerium/pull/5068
- zero: remove unused changeset code by @wasaga in https://github.com/pomerium/pomerium/pull/4915
- zero: reset back to inmem databroker if connection string is empty by @wasaga in https://github.com/pomerium/pomerium/pull/4955
- zero: simplify control loop lease retry code by @wasaga in https://github.com/pomerium/pomerium/pull/4979
- zero: update oapi-codegen by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4898
Dependency Updates
- chore(deps): bump actions/setup-node from 4.0.1 to 4.0.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4974
- chore(deps): bump actions/upload-artifact from 4.0.0 to 4.3.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4922
- chore(deps): bump actions/upload-artifact from 4.3.0 to 4.3.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4972
- chore(deps): bump busybox from
ba76950
to6d9ac92
in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4950 - chore(deps): bump cloud.google.com/go/storage from 1.36.0 to 1.37.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4926
- chore(deps): bump cloud.google.com/go/storage from 1.37.0 to 1.39.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4989
- chore(deps): bump distroless/base-debian12 from
0a93daa
to5eae9ef
in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4970 - chore(deps): bump distroless/base-debian12 from
996c583
to1d91d5f
by @dependabot in https://github.com/pomerium/pomerium/pull/4980 - chore(deps): bump distroless/base from
6c1e34e
to9d4e568
in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4971 - chore(deps): bump docker/metadata-action from 5.4.0 to 5.5.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4923
- chore(deps): bump docker/setup-buildx-action from 3.0.0 to 3.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4978
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.26.2 to 1.26.6 by @dependabot in https://github.com/pomerium/pomerium/pull/4932
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.26.6 to 1.27.6 by @dependabot in https://github.com/pomerium/pomerium/pull/5015
- chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.24.0 to 1.24.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4930
- chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.24.1 to 1.25.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4992
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.1 to 1.51.3 by @dependabot in https://github.com/pomerium/pomerium/pull/5016
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.47.7 to 1.48.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4939
- chore(deps): bump github.com/docker/docker from 24.0.7+incompatible to 25.0.2+incompatible by @dependabot in https://github.com/pomerium/pomerium/pull/4942
- chore(deps): bump github.com/docker/docker from 25.0.4+incompatible to 25.0.5+incompatible by @dependabot in https://github.com/pomerium/pomerium/pull/5032
- chore(deps): bump github.com/docker/docker from 26.0.0+incompatible to 26.0.2+incompatible by @dependabot in https://github.com/pomerium/pomerium/pull/5075
- chore(deps): bump github.com/envoyproxy/go-control-plane from 0.11.1 to 0.12.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4935
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.0.2 to 1.0.4 by @dependabot in https://github.com/pomerium/pomerium/pull/4945
- chore(deps): bump github.com/google/uuid from 1.5.0 to 1.6.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4933
- chore(deps): bump github.com/go-chi/chi/v5 from 5.0.11 to 5.0.12 by @dependabot in https://github.com/pomerium/pomerium/pull/4986
- chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4984
- chore(deps): bump github.com/jackc/pgx/v5 from 5.5.1 to 5.5.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4944
- chore(deps): bump github.com/jackc/pgx/v5 from 5.5.2 to 5.5.3 by @dependabot in https://github.com/pomerium/pomerium/pull/5000
- chore(deps): bump github.com/klauspost/compress from 1.17.4 to 1.17.5 by @dependabot in https://github.com/pomerium/pomerium/pull/4940
- chore(deps): bump github.com/klauspost/compress from 1.17.5 to 1.17.7 by @dependabot in https://github.com/pomerium/pomerium/pull/4995
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.66 to 7.0.67 by @dependabot in https://github.com/pomerium/pomerium/pull/4996
- chore(deps): bump github.com/opencontainers/runc from 1.1.5 to 1.1.12 by @dependabot in https://github.com/pomerium/pomerium/pull/4919
- chore(deps): bump github.com/open-policy-agent/opa from 0.60.0 to 0.61.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4937
- chore(deps): bump github.com/open-policy-agent/opa from 0.61.0 to 0.62.1 by @dependabot in https://github.com/pomerium/pomerium/pull/5017
- chore(deps): bump github.com/prometheus/common from 0.45.0 to 0.46.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4949
- chore(deps): bump github.com/prometheus/common from 0.46.0 to 0.49.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4998
- chore(deps): bump github.com/prometheus/client_golang from 1.18.0 to 1.19.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4999
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.12 to 3.24.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4928
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.24.1 to 3.24.2 by @dependabot in https://github.com/pomerium/pomerium/pull/5001
- chore(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4990
- chore(deps): bump github.com/rs/zerolog from 1.31.0 to 1.32.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5004
- chore(deps): bump golang from 1.21.5-bookworm to 1.21.6-bookworm by @dependabot in https://github.com/pomerium/pomerium/pull/4920
- chore(deps): bump golang.org/x/crypto from 0.18.0 to 0.21.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5013
- chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5077
- chore(deps): bump golang.org/x/oauth2 from 0.16.0 to 0.18.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5012
- chore(deps): bump google-github-actions/setup-gcloud from 2.0.1 to 2.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4924
- chore(deps): bump google-github-actions/auth from 2.0.0 to 2.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4925
- chore(deps): bump google-github-actions/auth from 2.1.0 to 2.1.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4976
- chore(deps): bump google.golang.org/api from 0.154.0 to 0.161.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4938
- chore(deps): bump google.golang.org/api from 0.161.0 to 0.168.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5010
- chore(deps): bump google.golang.org/grpc from 1.60.1 to 1.61.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4948
- chore(deps): bump google.golang.org/grpc from 1.61.0 to 1.62.1 by @dependabot in https://github.com/pomerium/pomerium/pull/5011
- chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 by @kenjenkins in https://github.com/pomerium/pomerium/pull/5009
- chore(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4975
- chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc from 0.44.0 to 0.45.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4947
- chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc from 0.45.0 to 1.24.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4983
- chore(deps): bump go.opentelemetry.io/otel/sdk/metric from 1.21.0 to 1.22.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4946
- chore(deps): bump go.opentelemetry.io/otel/sdk/metric from 1.22.0 to 1.24.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5003
- chore(deps): bump go.uber.org/zap from 1.26.0 to 1.27.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4987
- chore(deps): bump mikefarah/yq from 4.40.5 to 4.42.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4977
- chore(deps): bump node from
8d0f16f
tofd01154
by @dependabot in https://github.com/pomerium/pomerium/pull/4921 - chore(deps): bump node from
fd01154
tof3299f1
by @dependabot in https://github.com/pomerium/pomerium/pull/4981 - chore(deps): bump pre-commit/action from 3.0.0 to 3.0.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4973
- chore(deps): bump the docker group with 2 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5024
- chore(deps): bump the docker group in /.github with 2 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5023
- chore(deps): bump the docker group with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5045
- chore(deps): bump the docker group in /.github with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5046
- chore(deps): bump the docker group in /.github with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5095
- chore(deps): bump the docker group with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5098
- chore(deps): bump the github-actions group with 1 update by @dependabot in https://github.com/pomerium/pomerium/pull/5025
- chore(deps): bump the github-actions group with 6 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5047
- chore(deps): bump the github-actions group with 5 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5094
- chore(deps): bump the go group with 10 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5026
- chore(deps): bump the go group with 15 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5048
- chore(deps): bump the go group with 29 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5097
- chore(deps): update UI dependencies by @kenjenkins in https://github.com/pomerium/pomerium/pull/5088
- chore(deps): bump @trivago/prettier-plugin-sort-imports from 2.0.4 to 4.3.0 by @kenjenkins in https://github.com/pomerium/pomerium/pull/5054
- chore(deps): bump @babel/traverse from 7.16.10 to 7.23.2 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/5055
- ci: upgrade to Go 1.22 by @wasaga in https://github.com/pomerium/pomerium/pull/4967
- core/lint: upgrade golangci-lint, replace interface with any by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5099
- envoy: set to v1.29.2 by @wasaga in https://github.com/pomerium/pomerium/pull/5042
- envoy: upgrade to v1.29.3 by @wasaga in https://github.com/pomerium/pomerium/pull/5056
- update dev Dockerfiles to use Go 1.22.2 by @kenjenkins in https://github.com/pomerium/pomerium/pull/5063
v0.25.2 (2024-04-05)
Changed
- envoy: upgrade to v1.28.2 by @wasaga in https://github.com/pomerium/pomerium/pull/5057
v0.25.1 (2024-03-13)
Changed
- ci: bump Go to 1.21.8 in docker by @wasaga in https://github.com/pomerium/pomerium/pull/5027
- connect: add gRPC keep-alive by @wasaga in https://github.com/pomerium/pomerium/pull/4962
- core/ci: check docker base images by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5028
- core/zero: fix ticker usage by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5019
v0.25.0 (2024-01-10)
Breaking
- config: remove support for base64 encoded certificates in the
certificates
field. It may only contain file locations. See https://github.com/pomerium/pomerium/pull/4718 by @calebdoxsey for details. - config: remove
debug
option, always use json logs by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4857
New
- authenticate: Refactoring identity authenticators to initiate redirect. For AWS Cognito, please allow the following sign out
https://{AUTHENTICATE_DOMAIN}/.pomerium/signed_out
URL. See more details in https://github.com/pomerium/pomerium/pull/4858 by @calebdoxsey. - Initial support for the Pomerium Zero closed beta is included in this release.
Fixed
- config: add support for maps in environments, i.e.
env IDP_REQUEST_PARAMS='{"x":"y"}' ...
by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4717 - core: fix graceful stop by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4865
- databroker: fix nil data unmarshal by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4734
- databroker: fix Patch() error handling for in-memory databroker backend by @kenjenkins in https://github.com/pomerium/pomerium/pull/4838
- databroker: hijack connections for notification listeners by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4806
- databroker: prevent
nil
data in the databroker deleted records by @wasaga in https://github.com/pomerium/pomerium/pull/4736 - databroker: REDIS backend has been removed in the previous release, https://github.com/pomerium/pomerium/pull/4768 by @calebdoxsey cleans up some remaining references.
- envoy: Rewrite the remove_pomerium_cookie lua function to handle
=
inside of cookie values. by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4641 - metrics: enforce
text/plain
metric format by @kenjenkins in https://github.com/pomerium/pomerium/pull/4774 - zero: group funcs that need run within a lease by @wasaga in https://github.com/pomerium/pomerium/pull/4862
Changed
- authenticate: add stateful flow by @kenjenkins in https://github.com/pomerium/pomerium/pull/4822
- authenticate: change how sessions are deleted by @kenjenkins in https://github.com/pomerium/pomerium/pull/4893
- authenticate: getUserInfoData() cleanup by @kenjenkins in https://github.com/pomerium/pomerium/pull/4818
- authenticate: move events.go out of internal/authenticateflow by @kenjenkins in https://github.com/pomerium/pomerium/pull/4852
- authenticate: move stateless flow logic by @kenjenkins in https://github.com/pomerium/pomerium/pull/4820
- authenticate: move logAuthenticateEvent by @kenjenkins in https://github.com/pomerium/pomerium/pull/4821
- authenticate: remove extra UpdateUserInfo() call by @kenjenkins in https://github.com/pomerium/pomerium/pull/4813
- authenticate: Update the initialization logic for the authenticate, authorize, and proxy services to automatically select between the stateful authentication flow and the stateless authentication flow, depending on whether Pomerium is configured to use the hosted authenticate service. This change ensures a single IdP session is maintained for all user visits, enabling a single sign out behaviour for installations with IdP configured. @kenjenkins in https://github.com/pomerium/pomerium/pull/4765
- authenticate: verify redirect in Callback test by @kenjenkins in https://github.com/pomerium/pomerium/pull/4894
- config: Add a global config option for pass_identity_headers, in addition to existing per-route option by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4720
- config: disable strict-transport-security header with staging autocert by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4741
- config: no longer stub out HPKE public key fetch by @kenjenkins in https://github.com/pomerium/pomerium/pull/4853
- config: remove unnecessary authenticate route when using hosted authenticate (authenticate.pomerium.app) by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4719
- runtime: automatically determine goroutine max cap by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4766
- runtime: update to Go 1.21.4 by @kenjenkins in https://github.com/pomerium/pomerium/pull/4770
- session: add unit tests for gRPC wrapper methods by @kenjenkins in https://github.com/pomerium/pomerium/pull/4713
- tests: add tool for renewing test certs by @kenjenkins in https://github.com/pomerium/pomerium/pull/4742
- tests: check for profile cookies by @kenjenkins in https://github.com/pomerium/pomerium/pull/4847
- tests: renew test certs by @kenjenkins in https://github.com/pomerium/pomerium/pull/4738
- tests: re-generate test configurations by @kenjenkins in https://github.com/pomerium/pomerium/pull/4816
- zero: add linear probabilistic counter for MAU estimation by @wasaga in https://github.com/pomerium/pomerium/pull/4776
- zero: add more verbose logging about background control loops by @wasaga in https://github.com/pomerium/pomerium/pull/4815
- zero: add reporter by @wasaga in https://github.com/pomerium/pomerium/pull/4855
- zero: add support for managed mode from config file by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4756
- zero: better code reuse by @wasaga in https://github.com/pomerium/pomerium/pull/4758
- zero: calculate DAU and MAU by @wasaga in https://github.com/pomerium/pomerium/pull/4810
- zero: fix restart behavior by @kenjenkins in https://github.com/pomerium/pomerium/pull/4753
- zero: rebase and merge feature/zero branch by @kenjenkins in https://github.com/pomerium/pomerium/pull/4745
- zero: set drwx------ for cache dir by @wasaga in https://github.com/pomerium/pomerium/pull/4764
- zero: support gzipped blobs by @wasaga in https://github.com/pomerium/pomerium/pull/4767
- zero: use os.UserCacheDir for boostrap config path by @kenjenkins in https://github.com/pomerium/pomerium/pull/4744
- zero: use production urls by default by @wasaga in https://github.com/pomerium/pomerium/pull/4814
Dependency
- bump actions/checkout from 4.1.0 to 4.1.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4692
- bump actions/setup-go from 4.1.0 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4830
- bump actions/setup-node from 3.8.1 to 4.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4694
- bump actions/setup-node from 4.0.0 to 4.0.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4888
- bump actions/setup-python from 4.7.0 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4827
- bump actions/stale from 8.0.0 to 9.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4825
- bump actions/upload-artifact from 3.1.3 to 4.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4889
- bump busybox from
3fbc632
to1ceb872
in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4824 - bump busybox from
1ceb872
toba76950
in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4884 - bump cloud.google.com/go/storage from 1.33.0 to 1.35.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4750
- bump cloud.google.com/go/storage from 1.35.1 to 1.36.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4873
- bump distroless/base from
46c5b9b
tob31a6e0
in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4670 - bump distroless/base from
b31a6e0
to6c1e34e
in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4885 - bump distroless/base-debian12 from
5e24c7a
to996c583
by @dependabot in https://github.com/pomerium/pomerium/pull/4882 - bump distroless/base-debian12 from
d2890b2
to5e24c7a
by @dependabot in https://github.com/pomerium/pomerium/pull/4658 - bump distroless/base-debian12 from
d64f548
to1dfdb5e
in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4671 - bump distroless/base-debian12 from
1dfdb5e
to0a93daa
in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4886 - bump docker/build-push-action from 5.0.0 to 5.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4777
- bump docker/metadata-action from 5.0.0 to 5.3.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4826
- bump docker/metadata-action from 5.3.0 to 5.4.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4891
- bump github.com/aws/aws-sdk-go-v2 from 1.22.2 to 1.24.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4840
- bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.40.0 to 1.42.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4751
- bump github.com/bits-and-blooms/bitset from 1.11.0 to 1.13.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4876
- bump github.com/caddyserver/certmagic from 0.19.2 to 0.20.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4836
- bump github.com/cloudflare/circl from 1.3.3 to 1.3.6 by @dependabot in https://github.com/pomerium/pomerium/pull/4674
- bump github.com/coreos/go-oidc/v3 from 3.6.0 to 3.8.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4791
- bump github.com/coreos/go-oidc/v3 from 3.8.0 to 3.9.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4880
- bump github.com/fsnotify/fsnotify from 1.6.0 to 1.7.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4680
- bump github.com/google/go-cmp from 0.5.9 to 0.6.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4685
- bump github.com/google/uuid from 1.3.1 to 1.4.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4677
- bump github.com/google/uuid from 1.4.0 to 1.5.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4878
- bump github.com/gorilla/mux from 1.8.0 to 1.8.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4790
- bump github.com/gorilla/websocket from 1.5.0 to 1.5.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4793
- bump github.com/go-chi/chi/v5 from 5.0.10 to 5.0.11 by @dependabot in https://github.com/pomerium/pomerium/pull/4875
- bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4760
- bump github.com/jackc/pgx/v5 from 5.4.3 to 5.5.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4803
- bump github.com/jackc/pgx/v5 from 5.5.0 to 5.5.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4871
- bump github.com/klauspost/compress from 1.17.0 to 1.17.4 by @dependabot in https://github.com/pomerium/pomerium/pull/4798
- bump github.com/mattn/go-isatty from 0.0.19 to 0.0.20 by @dependabot in https://github.com/pomerium/pomerium/pull/4801
- bump github.com/minio/minio-go/v7 from 7.0.63 to 7.0.65 by @dependabot in https://github.com/pomerium/pomerium/pull/4812
- bump github.com/minio/minio-go/v7 from 7.0.65 to 7.0.66 by @dependabot in https://github.com/pomerium/pomerium/pull/4868
- bump github.com/oapi-codegen/runtime from 1.0.0 to 1.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4870
- bump github.com/open-policy-agent/opa from 0.57.0 to 0.59.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4799
- bump github.com/open-policy-agent/opa from 0.59.0 to 0.60.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4879
- bump github.com/prometheus/client_golang from 1.17.0 to 1.18.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4872
- bump github.com/prometheus/client_model from 0.4.1-0.20230718164431-9a2bf3000d16 to 0.5.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4672
- bump github.com/prometheus/common from 0.44.0 to 0.45.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4686
- bump github.com/shirou/gopsutil/v3 from 3.23.9 to 3.23.11 by @dependabot in https://github.com/pomerium/pomerium/pull/4794
- bump github.com/shirou/gopsutil/v3 from 3.23.11 to 3.23.12 by @dependabot in https://github.com/pomerium/pomerium/pull/4874
- bump github.com/spf13/viper from 1.16.0 to 1.18.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4861
- bump github.com/VictoriaMetrics/fastcache from 1.12.1 to 1.12.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4802
- bump github.com/yuin/gopher-lua from 1.1.0 to 1.1.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4832
- bump golang from 1.21.4-bookworm to 1.21.5-bookworm by @dependabot in https://github.com/pomerium/pomerium/pull/4828
- bump golang from
a6b787c
to1415bb0
by @dependabot in https://github.com/pomerium/pomerium/pull/4883 - bump golang.org/x/crypto from 0.16.0 to 0.17.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4860. This includes a patch for GO-2023-2402 / CVE-2023-48795 (Terrapin). Note that Pomerium does not use the affected golang.org/x/crypto/ssh package from this module.
- bump golang.org/x/net from 0.17.0 to 0.19.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4792
- bump golang.org/x/oauth2 from 0.12.0 to 0.15.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4797
- bump golang.org/x/sync from 0.3.0 to 0.5.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4748
- bump golang.org/x/time from 0.3.0 to 0.5.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4796
- bump google-github-actions/auth from 1.1.1 to 2.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4778
- bump google-github-actions/setup-gcloud from 1.1.1 to 2.0.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4890
- bump google.golang.org/api from 0.143.0 to 0.153.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4835
- bump google.golang.org/api from 0.153.0 to 0.154.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4867
- bump google.golang.org/protobuf from 1.31.1-0.20231027082548-f4a6c1f6e5c1 to 1.32.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4877
- bump mikefarah/yq from 4.35.2 to 4.40.3 by @dependabot in https://github.com/pomerium/pomerium/pull/4780
- bump mikefarah/yq from 4.40.3 to 4.40.4 by @dependabot in https://github.com/pomerium/pomerium/pull/4829
- bump mikefarah/yq from 4.40.4 to 4.40.5 by @dependabot in https://github.com/pomerium/pomerium/pull/4887
- bump node from
42a4d97
to5f21943
by @dependabot in https://github.com/pomerium/pomerium/pull/4659 - bump node from
445acd9
to8d0f16f
by @dependabot in https://github.com/pomerium/pomerium/pull/4881 - bump sigs.k8s.io/yaml from 1.3.0 to 1.4.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4688
- bump stefanzweifel/git-auto-commit-action from 4.16.0 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4693
- zero/openapi: pin v1.0.0 of a runtime by @wasaga in https://github.com/pomerium/pomerium/pull/4851
v0.24.0 (2023-11-16)
Breaking
- config: remove set_authorization_header option by @kenjenkins in https://github.com/pomerium/pomerium/pull/4489
- core/config: remove support for base64 encoded certificates by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4725
- databroker: remove redis storage backend by @kenjenkins in https://github.com/pomerium/pomerium/pull/4699
New
- databroker: build config concurrently, option to bypass validation by @wasaga in https://github.com/pomerium/pomerium/pull/4655
Fixed
- core/authenticate: refactor idp sign out by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4582
- core/authenticate: validate the identity profile by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4545
- core/authorize: check for expired tokens by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4543
- core/identity: fix slow restart by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4542
- core/storage: fix nil data unmarshal by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4739
Changed
- Add metric request error in log by @sylr in https://github.com/pomerium/pomerium/pull/4585
- authorize: build evaluators cache in parallel by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4731
- authorize: reuse policy evaluators where possible by @kenjenkins in https://github.com/pomerium/pomerium/pull/4710
- config: do not add route headers to global map by @kenjenkins in https://github.com/pomerium/pomerium/pull/4629
- core/config: add config version, additional telemetry by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4645
- core/config: add support for maps in environments by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4728
- core/config: refactor change dispatcher by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4657
- core/config: refactor file watcher by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4702
- core/config: remove version by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4653
- core/controlplane: apply configuration changes in a background thread by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4649
- core/envoy: fix remove cookie lua script by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4732
- core/events: refactor the events.Target to use mutexes instead of a background goroutine by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4700
- core/filemgr: use xxhash instead of sha512 for filenames by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4697
- core/hpke: reduce memory usage from zstd by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4650
- cryptutil: remove unused functions by @kenjenkins in https://github.com/pomerium/pomerium/pull/4541
- databroker: add patch method by @kenjenkins in https://github.com/pomerium/pomerium/pull/4704
- databroker: add reconciler by @wasaga in https://github.com/pomerium/pomerium/pull/4709
- databroker: add utility recordset and changeset by @wasaga in https://github.com/pomerium/pomerium/pull/4701
- databroker: changeset: prevent nil data in the deleted records by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4737
- Docs: remove tcp example by @ZPain8464 in https://github.com/pomerium/pomerium/pull/4616
- identity: override TokenSource expiry behavior by @kenjenkins in https://github.com/pomerium/pomerium/pull/4632
- identity: preserve session refresh schedule by @kenjenkins in https://github.com/pomerium/pomerium/pull/4633
- identity: rework session refresh error handling by @kenjenkins in https://github.com/pomerium/pomerium/pull/4638
- integration: renew test certs by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4740
- proto: add id to certificate by @wasaga in https://github.com/pomerium/pomerium/pull/4706
- protoutil: add OverwriteMasked method by @kenjenkins in https://github.com/pomerium/pomerium/pull/4651
- reconciler: allow custom comparison function by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4727
- rework session updates to use new patch method by @kenjenkins in https://github.com/pomerium/pomerium/pull/4705
- storage/inmemory: implement patch operation by @kenjenkins in https://github.com/pomerium/pomerium/pull/4654
- storage/postgres: implement patch operation by @kenjenkins in https://github.com/pomerium/pomerium/pull/4656
- upgrade envoy to v1.28.0 by @kenjenkins in https://github.com/pomerium/pomerium/pull/4635
- xds: add type url to log by @wasaga in https://github.com/pomerium/pomerium/pull/4696
Dependency
- chore(deps): bump actions/checkout from 3.5.3 to 3.6.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4496
- chore(deps): bump actions/checkout from 3.6.0 to 4.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4562
- chore(deps): bump actions/checkout from 4.0.0 to 4.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4611
- chore(deps): bump actions/setup-go from 4.0.1 to 4.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4497
- chore(deps): bump actions/setup-node from 3.7.0 to 3.8.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4501
- chore(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by @dependabot in https://github.com/pomerium/pomerium/pull/4557
- chore(deps): bump busybox from
caa382c
to3fbc632
in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4549 - chore(deps): bump cloud.google.com/go/storage from 1.31.0 to 1.32.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4518
- chore(deps): bump cloud.google.com/go/storage from 1.32.0 to 1.33.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4579
- chore(deps): bump coverallsapp/github-action from 2.2.1 to 2.2.3 by @dependabot in https://github.com/pomerium/pomerium/pull/4560
- chore(deps): bump distroless/base from
b0216a3
to46c5b9b
in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4550 - chore(deps): bump docker/build-push-action from 4.1.1 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4554
- chore(deps): bump docker/login-action from 2.2.0 to 3.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4552
- chore(deps): bump docker/metadata-action from 4.6.0 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4553
- chore(deps): bump docker/setup-buildx-action from 2.9.1 to 2.10.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4498
- chore(deps): bump docker/setup-buildx-action from 2.10.0 to 3.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4555
- chore(deps): bump docker/setup-qemu-action from 2.2.0 to 3.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4559
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.32 to 1.18.38 by @dependabot in https://github.com/pomerium/pomerium/pull/4522
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.38 to 1.18.40 by @dependabot in https://github.com/pomerium/pomerium/pull/4581
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.40 to 1.18.42 by @dependabot in https://github.com/pomerium/pomerium/pull/4599
- chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.20.0 to 1.21.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4524
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.38.1 to 1.38.5 by @dependabot in https://github.com/pomerium/pomerium/pull/4521
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.38.5 to 1.40.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4600
- chore(deps): bump github.com/caddyserver/certmagic from 0.19.1 to 0.19.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4526
- chore(deps): bump github.com/CAFxX/httpcompression from 0.0.8 to 0.0.9 by @dependabot in https://github.com/pomerium/pomerium/pull/4572
- chore(deps): bump github.com/docker/docker from 24.0.2+incompatible to 24.0.6+incompatible by @dependabot in https://github.com/pomerium/pomerium/pull/4570
- chore(deps): bump github.com/docker/docker from 24.0.6+incompatible to 24.0.7+incompatible by @dependabot in https://github.com/pomerium/pomerium/pull/4646
- chore(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4517
- chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.4 to 2.0.6 by @dependabot in https://github.com/pomerium/pomerium/pull/4528
- chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.6 to 2.0.7 by @dependabot in https://github.com/pomerium/pomerium/pull/4607
- chore(deps): bump github.com/jackc/pgx/v5 from 5.4.2 to 5.4.3 by @dependabot in https://github.com/pomerium/pomerium/pull/4531
- chore(deps): bump github.com/klauspost/compress from 1.16.7 to 1.17.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4566
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.61 to 7.0.63 by @dependabot in https://github.com/pomerium/pomerium/pull/4527
- chore(deps): bump github.com/open-policy-agent/opa from 0.55.0 to 0.56.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4530
- chore(deps): bump github.com/open-policy-agent/opa from 0.56.0 to 0.57.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4606
- chore(deps): bump github.com/openzipkin/zipkin-go from 0.4.1 to 0.4.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4523
- chore(deps): bump github.com/prometheus/client_golang from 1.16.0 to 1.17.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4603
- chore(deps): bump github.com/prometheus/procfs from 0.11.1 to 0.12.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4602
- chore(deps): bump github.com/rs/cors from 1.9.0 to 1.10.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4574
- chore(deps): bump github.com/rs/cors from 1.10.0 to 1.10.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4601
- chore(deps): bump github.com/rs/zerolog from 1.30.0 to 1.31.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4598
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.7 to 3.23.8 by @dependabot in https://github.com/pomerium/pomerium/pull/4519
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.8 to 3.23.9 by @dependabot in https://github.com/pomerium/pomerium/pull/4605
- chore(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4499
- chore(deps): bump google.golang.org/api from 0.134.0 to 0.138.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4532
- chore(deps): bump google.golang.org/api from 0.138.0 to 0.141.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4578
- chore(deps): bump google.golang.org/api from 0.141.0 to 0.143.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4608
- chore(deps): bump google.golang.org/grpc from 1.57.0 to 1.58.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4575
- chore(deps): bump google.golang.org/grpc from 1.58.2 to 1.58.3 by @dependabot in https://github.com/pomerium/pomerium/pull/4640
- chore(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4626
- chore(deps): bump golang.org/x/oauth2 from 0.11.0 to 0.12.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4580
- chore(deps): bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4502
- chore(deps): bump goreleaser/goreleaser-action from 4.4.0 to 5.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4563
- chore(deps): bump go.uber.org/zap from 1.24.0 to 1.25.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4516
- chore(deps): bump go.uber.org/zap from 1.25.0 to 1.26.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4577
- chore(deps): bump mikefarah/yq from 4.34.2 to 4.35.1 by @dependabot in https://github.com/pomerium/pomerium/pull/4503
- chore(deps): bump mikefarah/yq from 4.35.1 to 4.35.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4610
- chore(deps): bump node from
f41231b
to7923c64
by @dependabot in https://github.com/pomerium/pomerium/pull/4551 - chore(deps): bump node from
7923c64
to2daec43
by @dependabot in https://github.com/pomerium/pomerium/pull/4609 - chore(deps): bump node from
850d8e1
tof41231b
by @dependabot in https://github.com/pomerium/pomerium/pull/4533 - chore(deps): bump tibdex/github-app-token from 1.8.0 to 1.8.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4505
- chore(deps): bump tibdex/github-app-token from 1.8.2 to 2.0.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4556
- chore(deps): bump tibdex/github-app-token from 2.0.0 to 2.1.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4612
- chore(deps): bump @fontsource/dm-mono from 4.5.2 to 5.0.11 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4515
- chore(deps): bump @fontsource/dm-mono from 5.0.11 to 5.0.12 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4573
- chore(deps): bump @fontsource/dm-mono from 5.0.12 to 5.0.14 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4619
- chore(deps): bump @fontsource/dm-sans from 5.0.3 to 5.0.11 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4508
- chore(deps): bump @fontsource/dm-sans from 5.0.11 to 5.0.12 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4561
- chore(deps): bump @fontsource/dm-sans from 5.0.12 to 5.0.13 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4593
- chore(deps): bump @mui/icons-material from 5.3.1 to 5.14.9 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4567
- chore(deps-dev): bump ts-node from 10.4.0 to 10.9.1 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/4279
- core/go: upgrade go.mod by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4711
v0.23.0 (2023-08-24)
New
- adds success colors for statuses in the 200 range #4314 (@nhayfield)
- authenticate: add aws cognito #4137 (@wasaga)
- authorize: log id token claims separately from id token #4394 (@calebdoxsey)
- config: add cookie_same_site option #4148 (@calebdoxsey)
- hpke: compress query string #4147 (@calebdoxsey)
Fixed
- autocert: suppress OCSP stapling errors #4371 (@calebdoxsey)
- config: update logic for checking overlapping certificates #4216 (@calebdoxsey)
- config: validate log levels #4367 (@calebdoxsey)
- databroker: fix fast forward #4192 (@calebdoxsey)
- databroker: sort configs #4190 (@calebdoxsey)
- envoy: set re2 limits very high #4187 (@calebdoxsey)
- envoyconfig: disable validation context when no client certificates are required #4151 (@calebdoxsey)
- fix WillHaveCertificateForServerName check to be strict match for derived cert name #4167 (@wasaga)
Dependency
- chore(deps): bump actions/checkout from 3.5.0 to 3.5.2 #4153 (@dependabot[bot])
- chore(deps): bump actions/checkout from 3.5.2 to 3.5.3 #4239 (@dependabot[bot])
- chore(deps): bump actions/setup-go from 4.0.0 to 4.0.1 #4176 (@dependabot[bot])
- chore(deps): bump actions/setup-node from 3.6.0 to 3.7.0 #4432 (@dependabot[bot])
- chore(deps): bump actions/setup-python from 4.6.0 to 4.6.1 #4203 (@dependabot[bot])
- chore(deps): bump actions/setup-python from 4.6.1 to 4.7.0 #4429 (@dependabot[bot])
- chore(deps): bump cloud.google.com/go/storage from 1.29.0 to 1.30.1 #4221 (@dependabot[bot])
- chore(deps): bump cloud.google.com/go/storage from 1.30.1 to 1.31.0 #4332 (@dependabot[bot])
- chore(deps): bump coverallsapp/github-action from 2.1.2 to 2.2.0 #4241 (@dependabot[bot])
- chore(deps): bump coverallsapp/github-action from 2.2.0 to 2.2.1 #4430 (@dependabot[bot])
- chore(deps): bump debian from
1fbdbcf
to4291be2
#4160 (@dependabot[bot]) - chore(deps): bump debian from
4291be2
tocd9b6e7
#4206 (@dependabot[bot]) - chore(deps): bump docker/build-push-action from 4.0.0 to 4.1.1 #4264 (@dependabot[bot])
- chore(deps): bump docker/login-action from 2.1.0 to 2.2.0 #4274 (@dependabot[bot])
- chore(deps): bump docker/metadata-action from 4.4.0 to 4.5.0 #4242 (@dependabot[bot])
- chore(deps): bump docker/metadata-action from 4.5.0 to 4.6.0 #4273 (@dependabot[bot])
- chore(deps): bump docker/setup-buildx-action from 2.4.1 to 2.5.0 #4154 (@dependabot[bot])
- chore(deps): bump docker/setup-buildx-action from 2.5.0 to 2.7.0 #4262 (@dependabot[bot])
- chore(deps): bump docker/setup-buildx-action from 2.7.0 to 2.8.0 #4330 (@dependabot[bot])
- chore(deps): bump docker/setup-buildx-action from 2.8.0 to 2.9.1 #4433 (@dependabot[bot])
- chore(deps): bump docker/setup-qemu-action from 2.1.0 to 2.2.0 #4263 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.21 to 1.18.25 #4208 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.25 to 1.18.27 #4286 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.27 to 1.18.32 #4436 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.31.2 to 1.33.0 #4139 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.33.0 to 1.34.0 #4260 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.34.0 to 1.34.1 #4290 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.34.1 to 1.36.0 #4323 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.36.0 to 1.38.1 #4435 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.17.2 to 0.18.0 #4291 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.18.0 to 0.18.2 #4334 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.18.2 to 0.19.1 #4401 (@dependabot[bot])
- chore(deps): bump github.com/cenkalti/backoff/v4 from 4.2.0 to 4.2.1 #4156 (@dependabot[bot])
- chore(deps): bump github.com/cloudflare/circl from 1.3.2 to 1.3.3 #4158 (@dependabot[bot])
- chore(deps): bump github.com/coreos/go-oidc/v3 from 3.5.0 to 3.6.0 #4226 (@dependabot[bot])
- chore(deps): bump github.com/docker/distribution from 2.8.1+incompatible to 2.8.2+incompatible #4170 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 23.0.3+incompatible to 23.0.5+incompatible #4141 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 23.0.5+incompatible to 23.0.6+incompatible #4164 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 23.0.6+incompatible to 24.0.1+incompatible #4183 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 24.0.1+incompatible to 24.0.2+incompatible #4205 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.0.0 to 1.0.1 #4185 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.0.1 to 1.0.2 #4329 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/go-control-plane from 0.11.0 to 0.11.1 #4247 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.10.1 to 1.0.0 #4155 (@dependabot[bot])
- chore(deps): bump github.com/go-chi/chi/v5 from 5.0.8 to 5.0.10 #4407 (@dependabot[bot])
- chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.2 to 2.0.3 #4267 (@dependabot[bot])
- chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.3 to 2.0.4 #4327 (@dependabot[bot])
- chore(deps): bump github.com/jackc/pgx/v5 from 5.3.1 to 5.4.0 #4293 (@dependabot[bot])
- chore(deps): bump github.com/jackc/pgx/v5 from 5.4.0 to 5.4.1 #4324 (@dependabot[bot])
- chore(deps): bump github.com/jackc/pgx/v5 from 5.4.1 to 5.4.2 #4409 (@dependabot[bot])
- chore(deps): bump github.com/klauspost/compress from 1.16.0 to 1.16.5 #4177 (@dependabot[bot])
- chore(deps): bump github.com/klauspost/compress from 1.16.5 to 1.16.6 #4281 (@dependabot[bot])
- chore(deps): bump github.com/mholt/acmez from 1.1.0 to 1.1.1 #4184 (@dependabot[bot])
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.52 to 7.0.55 #4202 (@dependabot[bot])
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.55 to 7.0.56 #4243 (@dependabot[bot])
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.56 to 7.0.57 #4280 (@dependabot[bot])
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.57 to 7.0.59 #4333 (@dependabot[bot])
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.59 to 7.0.61 #4415 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.51.0 to 0.52.0 #4142 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.52.0 to 0.53.1 #4235 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.54.0 to 0.55.0 #4404 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/procfs from 0.10.1 to 0.11.0 #4276 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/procfs from 0.11.0 to 0.11.1 #4400 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/client_golang from 1.15.0 to 1.15.1 #4157 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/client_golang from 1.15.1 to 1.16.0 #4268 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/client_model from 0.3.0 to 0.4.0 #4162 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.42.0 to 0.43.0 #4172 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.43.0 to 0.44.0 #4244 (@dependabot[bot])
- chore(deps): bump github.com/peterbourgon/ff/v3 from 3.3.0 to 3.3.1 #4204 (@dependabot[bot])
- chore(deps): bump github.com/peterbourgon/ff/v3 from 3.3.1 to 3.3.2 #4248 (@dependabot[bot])
- chore(deps): bump github.com/peterbourgon/ff/v3 from 3.3.2 to 3.4.0 #4399 (@dependabot[bot])
- chore(deps): bump github.com/rs/cors from 1.8.3 to 1.9.0 #4179 (@dependabot[bot])
- chore(deps): bump github.com/rs/zerolog from 1.29.1 to 1.30.0 #4406 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.3 to 3.23.4 #4165 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.4 to 3.23.5 #4225 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.5 to 3.23.6 #4328 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.6 to 3.23.7 #4402 (@dependabot[bot])
- chore(deps): bump github.com/spf13/viper from 1.15.0 to 1.16.0 #4296 (@dependabot[bot])
- chore(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.3 #4200 (@dependabot[bot])
- chore(deps): bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 #4238 (@dependabot[bot])
- chore(deps): bump golang from 1.20.3-buster to 1.20.4-buster #4161 (@dependabot[bot])
- chore(deps): bump golang from 1.20.4-buster to 1.20.5-buster #4227 (@dependabot[bot])
- chore(deps): bump golang from
b0f97bf
toeb3f9ac
#4271 (@dependabot[bot]) - chore(deps): bump golang from
4cf6dc4
to6be6011
#4207 (@dependabot[bot]) - chore(deps): bump google.golang.org/api from 0.118.0 to 0.120.0 #4143 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.120.0 to 0.121.0 #4159 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.121.0 to 0.125.0 #4222 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.121.0 to 0.126.0 #4236 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.126.0 to 0.128.0 #4283 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.128.0 to 0.130.0 #4348 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.130.0 to 0.134.0 #4403 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.54.0 to 1.55.0 #4166 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.55.0 to 1.56.0 #4278 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.56.1 to 1.57.0 #4411 (@dependabot[bot])
- chore(deps): bump google.golang.org/protobuf from 1.30.0 to 1.31.0 #4325 (@dependabot[bot])
- chore(deps): bump golang.org/x/crypto from 0.8.0 to 0.9.0 #4182 (@dependabot[bot])
- chore(deps): bump golang.org/x/crypto from 0.9.0 to 0.10.0 #4266 (@dependabot[bot])
- chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 #4174 (@dependabot[bot])
- chore(deps): bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 #4178 (@dependabot[bot])
- chore(deps): bump golang.org/x/oauth2 from 0.8.0 to 0.9.0 #4287 (@dependabot[bot])
- chore(deps): bump golang.org/x/sync from 0.1.0 to 0.2.0 #4163 (@dependabot[bot])
- chore(deps): bump golang.org/x/sync from 0.2.0 to 0.3.0 #4294 (@dependabot[bot])
- chore(deps): bump google-github-actions/auth from 1.1.0 to 1.1.1 #4173 (@dependabot[bot])
- chore(deps): bump google-github-actions/setup-gcloud from 1.1.0 to 1.1.1 #4175 (@dependabot[bot])
- chore(deps): bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 #4240 (@dependabot[bot])
- chore(deps): bump markdown-to-jsx from 7.1.7 to 7.2.1 in /ui #4297 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.33.3 to 4.34.1 #4201 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.34.1 to 4.34.2 #4431 (@dependabot[bot])
- chore(deps): bump node from
3801c22
to850d8e1
#4416 (@dependabot[bot]) - chore(deps): bump node from
05824f7
to3801c22
#4322 (@dependabot[bot]) - chore(deps): bump node from
f658ece
to05824f7
#4272 (@dependabot[bot]) - chore(deps): bump node from
df5a66e
tof658ece
#4252 (@dependabot[bot]) - chore(deps): bump react-feather from 2.0.9 to 2.0.10 in /ui #4306 (@dependabot[bot])
- chore(deps): bump semver from 6.3.0 to 6.3.1 in /ui #4350 (@dependabot[bot])
- chore(deps): bump word-wrap from 1.2.3 to 1.2.4 in /ui #4369 (@dependabot[bot])
- chore(deps): bump @emotion/styled from 11.6.0 to 11.11.0 in /ui #4277 (@dependabot[bot])
- chore(deps): bump @fontsource/dm-sans from 4.5.1 to 5.0.3 in /ui #4307 (@dependabot[bot])
- chore(deps-dev): bump typescript from 4.5.5 to 5.1.3 in /ui #4289 (@dependabot[bot])
- chore(deps-dev): bump @typescript-eslint/parser from 5.10.2 to 5.59.11 in /ui #4282 (@dependabot[bot])
- dependencies: pin node to lts #4218 (@wasaga)
- dependencies: upgrade otel #4395 (@calebdoxsey)
Changed
- add downstream mTLS integration test cases (main) #4234 (@kenjenkins)
- add integration test for client_crl setting #4384 (@kenjenkins)
- add integration test for https IP address route #4476 (@kenjenkins)
- add integration test for Pomerium JWT #4472 (@kenjenkins)
- add JWT timestamp formatting workaround #4270 (@kenjenkins)
- authenticate: remove extraneous error log #4319 (@kenjenkins)
- authorize: add support for logging id token #4392 (@calebdoxsey)
- authorize: allow client certificate intermediates #4451 (@kenjenkins)
- authorize: check CRLs only for leaf certificates #4480 (@kenjenkins)
- authorize: do not redirect if invalid client cert #4344 (@kenjenkins)
- authorize: do not rely on Envoy client cert validation #4438 (@kenjenkins)
- authorize: fix policy numbers in evaluator test #4387 (@kenjenkins)
- authorize: implement client certificate CRL check #4439 (@kenjenkins)
- authorize: incorporate mTLS validation from Envoy #4374 (@kenjenkins)
- authorize: remove a nolint directive #4375 (@kenjenkins)
- authorize: remove incorrect "valid-client-certificate" reason #4470 (@kenjenkins)
- authorize: remove JWT timestamp format workaround #4321 (@kenjenkins)
- authorize: rework token substitution in headers #4456 (@kenjenkins)
- autocert: use new OCSP error type #4437 (@kenjenkins)
- chore: unnecessary use of fmt.Sprintf #4349 (@testwill)
- ci: updates #4269 (@calebdoxsey)
- config: add decode hook for the SANMatcher type #4464 (@kenjenkins)
- config: deprecate tls_downstream_client_ca #4461 (@kenjenkins)
- config: simplify default set response headers #4196 (@calebdoxsey)
- config: support client certificate SAN match #4453 (@kenjenkins)
- config: support arbitrary nested config structs #4440 (@kenjenkins)
- config: validate cookie_secure option #4484 (@kenjenkins)
- cryptutil: update CRL parsing #4454 (@kenjenkins)
- dependabot: improvements #4261 (@calebdoxsey)
- envoy: add a filter to store client cert info #4372 (@kenjenkins)
- envoy: check for nil ssl() in client cert script #4466 (@kenjenkins)
- envoy: configure upstream IP SAN match as needed #4380 (@kenjenkins)
- envoy: separate gRPC listener configuration #4365 (@kenjenkins)
- fix lint warning in pkg/envoy #4181 (@kenjenkins)
- improve certificate matching performance #4186 (@calebdoxsey)
- logs: add ip address to access logs #4391 (@calebdoxsey)
- organize go.mod #4320 (@kenjenkins)
- pin to a debian:latest image for casource base image #4250 (@kenjenkins)
- replace docker publish action ::set-output usage #4359 (@kenjenkins)
- storage: add indexes for postgres #4479 (@calebdoxsey)
- stub out HPKE public key fetch for self-hosted authenticate #4360 (@kenjenkins)
- upgrade main #4457 (@wasaga)
- Update README.md #4146 (@desimone)
- Update SECURITY.md #4144 (@desimone)
v0.22.3 (2023-08-21)
Changed
- add integration test for https IP address route #4477 (@kenjenkins)
- add integration test for Pomerium JWT #4473 (@kenjenkins)
- add JWT timestamp formatting workaround #4309 (@backport-actions-token[bot])
- authorize: populate issuer even when policy is nil #4213 (@backport-actions-token[bot])
- autocert: suppress OCSP stapling errors #4373 (@backport-actions-token[bot])
- backport #4368 (@calebdoxsey)
- ci: fix lint workflow (#4229) #4311 (@kenjenkins)
- config: update logic for checking overlapping certificates (#4216) #4217 (@calebdoxsey)
- config: simplify default set response headers #4212 (@backport-actions-token[bot])
- envoy: configure upstream IP SAN match as needed #4382 (@backport-actions-token[bot])
- github-actions: remove license check #4475 (@kenjenkins)
- pin to a debian:latest image for casource base image (#4250) #4310 (@kenjenkins)
v0.22.2 (2023-05-26)
Security
- This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.
Changed
- databroker: sort configs by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4191
- databroker: fix fast forward by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4194
- envoy: set re2 limits very high by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4189
- fix WillHaveCertificateForServerName check to be strict match for derived cert name by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4169
- improve certificate matching performance by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4188
v0.22.1 (2023-05-04)
Changed
- envoyconfig: disable validation context when no client certificates are required by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4152
v0.22.0 (2023-05-01)
Security
- Pomerium upgraded to Go v1.20.3 and Envoy v1.24.5 to address security issues exposed in these packages. See the release notes in the links for more information.
Changed
- add google cloud creds to ignore #3906 (@wasaga)
- apple: fix userinfo #3974 (@calebdoxsey)
- Appleid #3959 (@mnestor)
- authenticate: add events #4051 (@wasaga)
- authenticate: don't require a session for sign_out #4009 (@backport-actions-token[bot])
- authenticate: fix callback handler for split mode #4008 (@wasaga)
- chore(deps): bump actions/checkout from 3.4.0 to 3.5.0 #4078 (@dependabot[bot])
- chore(deps): bump docker/setup-buildx-action from 2.2.1 to 2.4.0 #3924 (@dependabot[bot])
- config: remove source, remove deadcode, fix linting issues #4118 (@calebdoxsey)
- databroker: add list types method #3937 (@calebdoxsey)
- envoy: optimize listener #3952 (@wasaga)
- maybe fix flaky test #3929 (@calebdoxsey)
- move hpke public key handler out of internal #4065 (@wasaga)
- remove log message when no provider defined #3936 (@calebdoxsey)
- Update SECURITY.md #4145 (@backport-actions-token[bot])
- webauthn: only return known device credentials that match the given type #3981 (@calebdoxsey)
New
- authenticate: fix authenticate_internal_service_url for all in one #4003 (@wasaga)
- authenticate: have an option to trim the contents of the callback #4090 (@wasaga)
- authenticate: only use csrf none for apple #3979 (@calebdoxsey)
- config: default to authenticate.pomerium.app when authenticate url is not specified #4132 (@calebdoxsey)
- cryptutil: generate certificates from deriveca #3992 (@calebdoxsey)
- envoyconfig: preserve case of HTTP headers when using HTTP/1 #3956 (@calebdoxsey)
- support loading route configuration via rds #4098 (@calebdoxsey)
- urlutil: add version to query string #4028 (@calebdoxsey)
Fixed
- authenticate: always trust the passed in idp #3917 (@calebdoxsey)
- authenticate: don't require a session for sign_out #4007 (@calebdoxsey)
- authenticate: fix identity provider id in encrypted query string #4006 (@calebdoxsey)
- authenticate: save the session cookie with a different name #3978 (@calebdoxsey)
- authorize: allow access to /.pomerium/webauthn when policy denies access #4015 (@calebdoxsey)
- authorize: move sign out and jwks urls to route, update issuer for JWT #4046 (@calebdoxsey)
- autocert: fix certmagic cache logging #4134 (@calebdoxsey)
- config: fix set_response_headers #4026 (@calebdoxsey)
- derivecert: fix ecdsa code to be deterministic #3989 (@calebdoxsey)
- fix webauthn url #3983 (@calebdoxsey)
- hpke: move published public keys to a new endpoint #4044 (@calebdoxsey)
- identity: fix nil reference error when there is no authenticator #3930 (@calebdoxsey)
- lua: fix rewrite response headers to handle dashes in URLs #3980 (@calebdoxsey)
- store authenticate state on creation #4064 (@wasaga)
- tls: wildcard catch-all cert must be at the end of cert list #4119 (@wasaga)
Dependency
- chore(deps): bump actions/cache from 3.2.3 to 3.2.4 #3923 (@dependabot[bot])
- chore(deps): bump actions/cache from 3.2.4 to 3.2.5 #3962 (@dependabot[bot])
- chore(deps): bump actions/cache from 3.2.5 to 3.2.6 #4019 (@dependabot[bot])
- chore(deps): bump actions/cache from 3.2.6 to 3.3.1 #4054 (@dependabot[bot])
- chore(deps): bump actions/checkout from 3.3.0 to 3.4.0 #4068 (@dependabot[bot])
- chore(deps): bump actions/checkout from 3.5.0 to 3.5.2 #4108 (@dependabot[bot])
- chore(deps): bump actions/setup-go from 3.5.0 to 4.0.0 #4067 (@dependabot[bot])
- chore(deps): bump actions/setup-python from 4.5.0 to 4.6.0 #4123 (@dependabot[bot])
- chore(deps): bump actions/stale from 7.0.0 to 8.0.0 #4077 (@dependabot[bot])
- chore(deps): bump cloud.google.com/go/storage from 1.28.1 to 1.29.0 #3912 (@dependabot[bot])
- chore(deps): bump coverallsapp/github-action from 1.1.3 to 1.2.2 #4017 (@dependabot[bot])
- chore(deps): bump coverallsapp/github-action from 1.2.2 to 1.2.4 #4041 (@dependabot[bot])
- chore(deps): bump coverallsapp/github-action from 1.2.4 to 2.0.0 #4069 (@dependabot[bot])
- chore(deps): bump coverallsapp/github-action from 2.0.0 to 2.1.0 #4100 (@dependabot[bot])
- chore(deps): bump coverallsapp/github-action from 2.1.0 to 2.1.2 #4124 (@dependabot[bot])
- chore(deps): bump debian from
12931ad
to50cf570
#3950 (@dependabot[bot]) - chore(deps): bump debian from
50cf570
to7b16406
#3970 (@dependabot[bot]) - chore(deps): bump debian from
7b16406
toc1c4bb9
#4042 (@dependabot[bot]) - chore(deps): bump debian from
c1c4bb9
tod4bbca2
#4085 (@dependabot[bot]) - chore(deps): bump debian from
d4bbca2
to1fbdbcf
#4115 (@dependabot[bot]) - chore(deps): bump distroless/base from
4f9fe94
to9687cd3
#3968 (@dependabot[bot]) - chore(deps): bump distroless/base from
5812871
to357bc96
#4102 (@dependabot[bot]) - chore(deps): bump distroless/base from
76b0529
to4f9fe94
#3948 (@dependabot[bot]) - chore(deps): bump distroless/base from
8e770ae
to5812871
#4025 (@dependabot[bot]) - chore(deps): bump distroless/base from
9687cd3
to8e770ae
#3995 (@dependabot[bot]) - chore(deps): bump distroless/base from
9eeffdc
to76b0529
#3928 (@dependabot[bot]) - chore(deps): bump docker/build-push-action from 3.3.0 to 4.0.0 #3942 (@dependabot[bot])
- chore(deps): bump docker/metadata-action from 4.3.0 to 4.4.0 #4122 (@dependabot[bot])
- chore(deps): bump docker/setup-buildx-action from 2.4.0 to 2.4.1 #3941 (@dependabot[bot])
- chore(deps): bump docker/setup-buildx-action from 2.4.1 to 2.5.0 #4055 (@dependabot[bot])
- chore(deps): bump fossa-contrib/fossa-action from 1.2.0 to 2.0.0 #3961 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.17.3 to 1.17.4 #3946 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.17.5 to 1.17.6 #4059 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.10 to 1.18.14 #4002 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.14 to 1.18.15 #4018 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.15 to 1.18.18 #4070 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.18 to 1.18.19 #4080 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.19 to 1.18.21 #4126 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.8 to 1.18.10 #3927 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.0 to 1.30.1 #3925 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.1 to 1.30.2 #3944 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.2 to 1.30.3 #3998 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.3 to 1.30.5 #4024 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.5 to 1.31.2 #4106 (@dependabot[bot])
- chore(deps): bump github.com/cloudflare/circl from 1.3.1 to 1.3.2 #3947 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 20.10.22+incompatible to 20.10.23+incompatible #3911 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 20.10.23+incompatible to 23.0.1+incompatible #3967 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 23.0.1+incompatible to 23.0.3+incompatible #4101 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.10.0 to 0.10.1 #4083 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.9.1 to 0.10.0 #4074 (@dependabot[bot])
- chore(deps): bump github.com/golangci/golangci-lint from 1.50.1 to 1.51.2 #4020 (@dependabot[bot])
- chore(deps): bump github.com/google/go-jsonnet from 0.19.1 to 0.20.0 #4140 (@dependabot[bot])
- chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.1 to 2.0.2 #4073 (@dependabot[bot])
- chore(deps): bump github.com/jackc/pgx/v5 from 5.2.0 to 5.3.0 #3964 (@dependabot[bot])
- chore(deps): bump github.com/jackc/pgx/v5 from 5.3.0 to 5.3.1 #4039 (@dependabot[bot])
- chore(deps): bump github.com/mholt/acmez from 1.0.4 to 1.1.0 #4000 (@dependabot[bot])
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.47 to 7.0.50 #4081 (@dependabot[bot])
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.50 to 7.0.52 #4128 (@dependabot[bot])
- chore(deps): bump github.com/natefinch/atomic from 0.0.0-20200526193002-18c0533a5b09 to 1.0.1 #4021 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.48.0 to 0.49.2 #4023 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.49.2 to 0.50.0 #4056 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.49.2 to 0.51.0 #4130 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.50.0 to 0.50.1 #4072 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.50.1 to 0.51.0 #4093 (@dependabot[bot])
- chore(deps): bump github.com/opencontainers/runc from 1.1.2 to 1.1.5 #4088 (@dependabot[bot])
- chore(deps): bump github.com/ory/dockertest/v3 from 3.9.1 to 3.10.0 #4111 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/client_golang from 1.14.0 to 1.15.0 #4110 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.39.0 to 0.41.0 #4035 (@dependabot[bot])
- chore(deps): bump github.com/rs/zerolog from 1.28.0 to 1.29.0 #3920 (@dependabot[bot])
- chore(deps): bump github.com/rs/zerolog from 1.29.0 to 1.29.1 #4127 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.1 to 3.23.2 #4037 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.2 to 3.23.3 #4129 (@dependabot[bot])
- chore(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 #3910 (@dependabot[bot])
- chore(deps): bump github.com/VictoriaMetrics/fastcache from 1.12.0 to 1.12.1 #4057 (@dependabot[bot])
- chore(deps): bump github.com/yuin/gopher-lua from 0.0.0-20200816102855-ee81675732da to 1.1.0 #4022 (@dependabot[bot])
- chore(deps): bump golang from
413cd9e
to73c225b
#4114 (@dependabot[bot]) - chore(deps): bump golang from
4447a7f
tof8fbd74
#3969 (@dependabot[bot]) - chore(deps): bump golang from
57dbdd5
to97c3e1d
#4084 (@dependabot[bot]) - chore(deps): bump golang from
d99d361
to9628a1a
#4043 (@dependabot[bot]) - chore(deps): bump golang from 1.19.5-buster to 1.20.0-buster #3949 (@dependabot[bot])
- chore(deps): bump golang from 1.20.0-buster to 1.20.1-buster #3997 (@dependabot[bot])
- chore(deps): bump golang from 1.20.1-buster to 1.20.2-buster #4060 (@dependabot[bot])
- chore(deps): bump golang from 1.20.2-buster to 1.20.3-buster #4103 (@dependabot[bot])
- chore(deps): bump golang.org/x/crypto from 0.6.0 to 0.7.0 #4038 (@dependabot[bot])
- chore(deps): bump golang.org/x/crypto from 0.7.0 to 0.8.0 #4105 (@dependabot[bot])
- chore(deps): bump golang.org/x/net from 0.6.0 to 0.7.0 #3993 (@dependabot[bot])
- chore(deps): bump golang.org/x/oauth2 from 0.4.0 to 0.5.0 #3963 (@dependabot[bot])
- chore(deps): bump golang.org/x/oauth2 from 0.5.0 to 0.6.0 #4036 (@dependabot[bot])
- chore(deps): bump golang.org/x/oauth2 from 0.6.0 to 0.7.0 #4113 (@dependabot[bot])
- chore(deps): bump google-github-actions/auth from 1.0.0 to 1.1.0 #4121 (@dependabot[bot])
- chore(deps): bump google-github-actions/setup-gcloud from 1.0.1 to 1.1.0 #3943 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.107.0 to 0.108.0 #3913 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.108.0 to 0.109.0 #3940 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.109.0 to 0.110.0 #3999 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.112.0 to 0.114.0 #4096 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.114.0 to 0.116.0 #4104 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.116.0 to 0.118.0 #4112 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.52.0 to 1.52.3 #3926 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.52.3 to 1.53.0 #3965 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.53.0 to 1.54.0 #4082 (@dependabot[bot])
- chore(deps): bump goreleaser/goreleaser-action from 4.1.1 to 4.2.0 #3921 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.30.8 to 4.31.1 #3994 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.31.1 to 4.31.2 #4040 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.31.2 to 4.32.2 #4066 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.32.2 to 4.33.1 #4079 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.33.1 to 4.33.3 #4109 (@dependabot[bot])
- chore(deps): bump tibdex/github-app-token from 1.7.0 to 1.8.0 #3922 (@dependabot[bot])
- dependencies: upgrade go and envoy #4116 (@calebdoxsey)
v0.21.4 (2023-05-26)
Security
- This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.
Changed
- authorize: fix IsInternal check by @calebdoxsey in https://github.com/pomerium/pomerium/pull/4199
- autocert: fix certmagic cache logging by @backport-actions-token in https://github.com/pomerium/pomerium/pull/4135
v0.21.3 (2023-03-23)
Changed
- authorize: move sign out and jwks urls to route, update issuer for JWT #4049 (@backport-actions-token[bot])
- ci: build version branch images #4062 (@backport-actions-token[bot])
- hpke: move published public keys to a new endpoint #4048 (@backport-actions-token[bot])
v0.21.2 (2023-02-23)
Changed
- authenticate: fix identity provider id in encrypted query string #4011 (@backport-actions-token[bot])
- authenticate: fix callback handler for split mode #4010 (@backport-actions-token[bot])
- authenticate: don't require a session for sign_out #4009 (@backport-actions-token[bot])
- authenticate: fix authenticate_internal_service_url for all in one #4005 (@backport-actions-token[bot])
- derivecert: fix ecdsa code to be deterministic #3991 (@backport-actions-token[bot])
- fix webauthn url #3988 (@backport-actions-token[bot])
- webauthn: only return known device credentials that match the given type #3987 (@backport-actions-token[bot])
v0.21.1 (2023-02-16)
Changed
- authenticate: save the session cookie with a different name by @calebdoxsey in https://github.com/pomerium/pomerium/pull/3984
- lua: fix rewrite response headers to handle dashes in URLs by @calebdoxsey in https://github.com/pomerium/pomerium/pull/3986
v0.21.0 (2023-02-09)
Changed
- add google cloud creds to ignore #3907 (@backport-actions-token[bot])
- authenticate: always trust the passed in idp #3931 (@backport-actions-token[bot])
- controlplane: remove gorilla handlers dependency #3813 (@calebdoxsey)
- docker: switch to debian #3939 (@backport-actions-token[bot])
- envoyconfig: clean up filter chain construction #3844 (@calebdoxsey)
- events: remove xds configuraton update #3792 (@wasaga)
- identity: fix nil reference error when there is no authenticator #3933 (@backport-actions-token[bot])
- tls_derive: rename for consistency #3905 (@wasaga)
- use tlsClientConfig instead of custom dialer #3830 (@wasaga)
Breaking
- proxy: add userinfo and webauthn endpoints #3755 (@calebdoxsey)
- remove forward auth #3628 (@calebdoxsey)
New
- authenticate: add additional error details for hmac errors #3878 (@calebdoxsey)
- authenticate: implement hpke-based login flow #3779 (@calebdoxsey)
- authorize: log check() error #3846 (@wasaga)
- auto tls #3856 (@wasaga)
- config: add option for tls renegotiation #3773 (@calebdoxsey)
- config: add support for extended TCP route URLs #3845 (@calebdoxsey)
- derive CA from pre-shared key #3815 (@wasaga)
- explicitly list gRPC services accessible via the gRPC listener #3879 (@wasaga)
- hpke: add HPKE key to JWKS endpoint #3762 (@calebdoxsey)
- hpke: add hpke package #3761 (@calebdoxsey)
- httputil: add cookie chunker #3775 (@calebdoxsey)
- httputil: ignore errors < 400 #3781 (@calebdoxsey)
- identity: add identity profile #3777 (@calebdoxsey)
- mTLS: allow gRPC TLS for all in one #3854 (@wasaga)
- scripts: update get-envoy script to download all binaries #3886 (@calebdoxsey)
- urlutil: add time validation functions #3776 (@calebdoxsey)
Fixed
- autocert: use atomic pointer to allow nil #3816 (@calebdoxsey)
- config: add missing options #3882 (@calebdoxsey)
- config: generate derived certificates instead of self-signed certificates #3860 (@calebdoxsey)
- config: use insecure skip verify if derived certificates are not used #3861 (@calebdoxsey)
- dashboard: fix missing avatar and logout menu #3819 (@calebdoxsey)
- identity: fix expired session deletion #3855 (@calebdoxsey)
- jwt: require logged in user to return .pomerium/jwt #3807 (@calebdoxsey)
- oidc: fix token revocation #3810 (@calebdoxsey)
- postgres: return unknown records instead of skipping them #3876 (@calebdoxsey)
- proxy: fix sign out redirect #3827 (@calebdoxsey)
- storage: ignore removed fields when deserializing the data #3768 (@wasaga)
- webauthn: require session when accessing /.pomerium/webauthn #3814 (@calebdoxsey)
Dependency
- bump goreleaser to v4.1.1 #3919 (@backport-actions-token[bot])
- chore(deps): bump actions/cache from 3.0.11 to 3.2.2 #3851 (@dependabot[bot])
- chore(deps): bump actions/cache from 3.2.2 to 3.2.3 #3870 (@dependabot[bot])
- chore(deps): bump actions/checkout from 3.1.0 to 3.2.0 #3833 (@dependabot[bot])
- chore(deps): bump actions/checkout from 3.2.0 to 3.3.0 #3867 (@dependabot[bot])
- chore(deps): bump actions/download-artifact from 3.0.1 to 3.0.2 #3872 (@dependabot[bot])
- chore(deps): bump actions/setup-go from 3.3.1 to 3.4.0 #3788 (@dependabot[bot])
- chore(deps): bump actions/setup-go from 3.4.0 to 3.5.0 #3836 (@dependabot[bot])
- chore(deps): bump actions/setup-node from 3.5.1 to 3.6.0 #3869 (@dependabot[bot])
- chore(deps): bump actions/setup-python from 4.3.0 to 4.3.1 #3800 (@dependabot[bot])
- chore(deps): bump actions/setup-python from 4.3.1 to 4.4.0 #3834 (@dependabot[bot])
- chore(deps): bump actions/setup-python from 4.4.0 to 4.5.0 #3896 (@dependabot[bot])
- chore(deps): bump actions/stale from 5.1.1 to 6.0.1 #3790 (@dependabot[bot])
- chore(deps): bump actions/stale from 6.0.1 to 7.0.0 #3852 (@dependabot[bot])
- chore(deps): bump actions/upload-artifact from 3.1.1 to 3.1.2 #3871 (@dependabot[bot])
- chore(deps): bump alpine from
8914eb5
tof271e74
#3901 (@dependabot[bot]) - chore(deps): bump alpine from
b95359c
to8914eb5
#3802 (@dependabot[bot]) - chore(deps): bump alpine from
bc41182
tob95359c
#3751 (@dependabot[bot]) - chore(deps): bump azure/docker-login from 81744f9799e7eaa418697cb168452a2882ae844a to 1.0.1 #3770 (@dependabot[bot])
- chore(deps): bump debian from
7ca0fec
to12931ad
#3904 (@dependabot[bot]) - chore(deps): bump debian from
880aa5f
to7ca0fec
#3841 (@dependabot[bot]) - chore(deps): bump debian from
9583740
to880aa5f
#3803 (@dependabot[bot]) - chore(deps): bump distroless/base from
8848703
to8ee3d86
#3874 (@dependabot[bot]) - chore(deps): bump distroless/base from
8ee3d86
to9eeffdc
#3903 (@dependabot[bot]) - chore(deps): bump distroless/base from
9283685
to8848703
#3842 (@dependabot[bot]) - chore(deps): bump distroless/base from
cd1bf87
to9283685
#3804 (@dependabot[bot]) - chore(deps): bump docker/build-push-action from 3.2.0 to 3.3.0 #3894 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.4 to 1.18.5 #3825 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.5 to 1.18.7 #3838 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.7 to 1.18.8 #3900 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.29.5 to 1.29.6 #3847 (@dependabot[bot])
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.29.6 to 1.30.0 #3866 (@dependabot[bot])
- chore(deps): bump github.com/cenkalti/backoff/v4 from 4.1.3 to 4.2.0 #3756 (@dependabot[bot])
- chore(deps): bump github.com/cespare/xxhash/v2 from 2.1.2 to 2.2.0 #3786 (@dependabot[bot])
- chore(deps): bump github.com/cloudflare/circl from 1.3.0 to 1.3.1 #3831 (@dependabot[bot])
- chore(deps): bump github.com/coreos/go-oidc/v3 from 3.4.0 to 3.5.0 #3868 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 20.10.21+incompatible to 20.10.22+incompatible #3839 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.8.0 to 0.9.0 #3744 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.9.0 to 0.9.1 #3798 (@dependabot[bot])
- chore(deps): bump github.com/go-chi/chi/v5 from 5.0.7 to 5.0.8 #3795 (@dependabot[bot])
- chore(deps): bump github.com/jackc/pgtype from 1.12.0 to 1.13.0 #3784 (@dependabot[bot])
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.39 to 7.0.45 #3796 (@dependabot[bot])
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.45 to 7.0.46 #3864 (@dependabot[bot])
- chore(deps): bump github.com/minio/minio-go/v7 from 7.0.46 to 7.0.47 #3899 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.46.1 to 0.47.0 #3782 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.47.0 to 0.47.3 #3824 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.47.3 to 0.47.4 #3832 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.47.4 to 0.48.0 #3898 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/client_golang from 1.13.1 to 1.14.0 #3745 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.37.0 to 0.39.0 #3823 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/procfs from 0.8.0 to 0.9.0 #3850 (@dependabot[bot])
- chore(deps): bump github.com/rs/cors from 1.8.2 to 1.8.3 #3848 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.10 to 3.22.11 #3783 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.11 to 3.22.12 #3849 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.9 to 3.22.10 #3747 (@dependabot[bot])
- chore(deps): bump go.uber.org/zap from 1.23.0 to 1.24.0 #3785 (@dependabot[bot])
- chore(deps): bump golang from
e464bb0
to7c97bae
#3843 (@dependabot[bot]) - chore(deps): bump golang from 1.19.3-buster to 1.19.4-buster #3801 (@dependabot[bot])
- chore(deps): bump golang from 1.19.4-buster to 1.19.5-buster #3902 (@dependabot[bot])
- chore(deps): bump golang.org/x/crypto from 0.1.0 to 0.2.0 #3746 (@dependabot[bot])
- chore(deps): bump golang.org/x/crypto from 0.2.0 to 0.3.0 #3757 (@dependabot[bot])
- chore(deps): bump golang.org/x/crypto from 0.3.0 to 0.4.0 #3822 (@dependabot[bot])
- chore(deps): bump golang.org/x/crypto from 0.4.0 to 0.5.0 #3873 (@dependabot[bot])
- chore(deps): bump golang.org/x/net from 0.1.0 to 0.2.0 #3748 (@dependabot[bot])
- chore(deps): bump golang.org/x/net from 0.2.0 to 0.4.0 #3799 (@dependabot[bot])
- chore(deps): bump golang.org/x/net from 0.4.0 to 0.5.0 #3863 (@dependabot[bot])
- chore(deps): bump golang.org/x/oauth2 from 0.3.0 to 0.4.0 #3865 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.102.0 to 0.103.0 #3758 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.103.0 to 0.104.0 #3797 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.104.0 to 0.105.0 #3840 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.105.0 to 0.107.0 #3897 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.50.1 to 1.51.0 #3759 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.51.0 to 1.52.0 #3893 (@dependabot[bot])
- chore(deps): bump json5 from 2.2.0 to 2.2.3 in /ui #3853 (@dependabot[bot])
- chore(deps): bump luxon from 2.3.0 to 2.5.2 in /ui #3862 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.29.2 to 4.30.2 #3749 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.30.2 to 4.30.5 #3787 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.30.5 to 4.30.6 #3837 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.30.6 to 4.30.8 #3895 (@dependabot[bot])
- chore(deps): bump minimatch from 3.0.4 to 3.1.2 in /ui #3760 (@dependabot[bot])
- chore(deps): bump stefanzweifel/git-auto-commit-action from 4.15.4 to 4.16.0 #3791 (@dependabot[bot])
- chore(deps): bump tibdex/github-app-token from 1.6.0 to 1.7.0 #3789 (@dependabot[bot])
- postgres: upgrade to pgx v5 #3826 (@calebdoxsey)
- upgrade to golang-lru v2 #3771 (@calebdoxsey)
v0.20.1 (2023-05-26)
Security
- This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.
Changed
- autocert: use atomic pointer to allow nil by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3817
- identity: fix expired session deletion by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3857
- identity: fix nil reference error when there is no authenticator by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3932
- jwt: require logged in user to return .pomerium/jwt by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3809
- oidc: fix token revocation by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3818
- postgres: return unknown records instead of skipping them (#3876) by @calebdoxsey in https://github.com/pomerium/pomerium/pull/3877
- storage: ignore removed fields when deserializing the data by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3772
v0.20.0 (2022-11-14)
Breaking
- envoyconfig: add all routes to all filter chains #3596 (@calebdoxsey)
- groups via directory sync are no longer supported #3633 (@calebdoxsey)
Security
- httputil: remove error details #3703 (@calebdoxsey)
New
- authorize: fix user caching #3734 (@calebdoxsey)
- authorize: performance improvements #3723 (@calebdoxsey)
- config: disable Strict-Transport-Security when using a self-signed certificate #3743 (@calebdoxsey)
- config: generate cookie secret if not set in all-in-one mode #3742 (@calebdoxsey)
- config: default to http2 #3660 (@calebdoxsey)
- controlplane: move jwks.json endpoint to control plane #3691 (@calebdoxsey)
- postgres: increase record batch size #3708 (@calebdoxsey)
- sessions: check idp id to detect provider changes to force session invalidation #3707 (@calebdoxsey)
Fixed
- authenticate: get/set identity provider id for all sessions #3597 (@calebdoxsey)
- authorize: enforce service account expiration #3661 (@calebdoxsey)
- config: allow blank identity providers when loading sessions for service account support #3709 (@calebdoxsey)
- config: disable envoy admin by default, expose stats via envoy route #3677 (@calebdoxsey)
- controlplane: fix /.well-known/pomerium missing CORS headers #3738 (@calebdoxsey)
- fileutil: update watcher to use fsnotify and polling #3663 (@calebdoxsey)
- postgres: return an empty list of addresses on dns errors #3637 (@calebdoxsey)
- ppl: support special characters in claim keys #3639 (@calebdoxsey)
Changed
- add config option check logging #3722 (@wasaga)
- authenticate: remove ecjson #3688 (@calebdoxsey)
- authenticate: update user info dashboard to show group info for enterprise #3736 (@calebdoxsey)
- device: add generic methods for working with user+session devices #3710 (@calebdoxsey)
- envoyconfig: fix databroker health checks #3706 (@calebdoxsey)
- fix unused key warnings in routes #3711 (@wasaga)
- keep trace span context #3724 (@wasaga)
- postgres: handle unknown types #3632 (@calebdoxsey)
- test: use
T.TempDir
to create temporary test directory #3725 (@Juneezee) - upgrade envoy to v1.23.1 #3599 (@calebdoxsey)
Dependency
- bump Envoy to 1.23.2 #3739 (@wasaga)
- bump protoc to 3.21.7 #3646 (@wasaga)
- chore(deps): bump actions/cache from 3.0.10 to 3.0.11 #3671 (@dependabot[bot])
- chore(deps): bump actions/cache from 3.0.8 to 3.0.10 #3642 (@dependabot[bot])
- chore(deps): bump actions/checkout from 3.0.2 to 3.1.0 #3652 (@dependabot[bot])
- chore(deps): bump actions/download-artifact from 3.0.0 to 3.0.1 #3700 (@dependabot[bot])
- chore(deps): bump actions/setup-go from 3.3.0 to 3.3.1 #3681 (@dependabot[bot])
- chore(deps): bump actions/setup-node from 3.4.1 to 3.5.0 #3641 (@dependabot[bot])
- chore(deps): bump actions/setup-node from 3.5.0 to 3.5.1 #3672 (@dependabot[bot])
- chore(deps): bump actions/setup-python from 4.2.0 to 4.3.0 #3651 (@dependabot[bot])
- chore(deps): bump actions/upload-artifact from 3.1.0 to 3.1.1 #3698 (@dependabot[bot])
- chore(deps): bump alpine from
bc41182
tob95359c
#3751 (@dependabot[bot]) - chore(deps): bump debian from
1b1d158
to9583740
#3719 (@dependabot[bot]) - chore(deps): bump debian from
3d2aa50
to6005bd9
#3625 (@dependabot[bot]) - chore(deps): bump debian from
6005bd9
to1b1d158
#3656 (@dependabot[bot]) - chore(deps): bump distroless/base from
4689543
to6ef742b
#3654 (@dependabot[bot]) - chore(deps): bump distroless/base from
59fe963
to8a7afd5
#3627 (@dependabot[bot]) - chore(deps): bump distroless/base from
65afaf8
to59fe963
#3616 (@dependabot[bot]) - chore(deps): bump distroless/base from
6ef742b
to9681f07
#3676 (@dependabot[bot]) - chore(deps): bump distroless/base from
856944e
tocd1bf87
#3732 (@dependabot[bot]) - chore(deps): bump distroless/base from
8a7afd5
to4689543
#3647 (@dependabot[bot]) - chore(deps): bump distroless/base from
9681f07
to856944e
#3702 (@dependabot[bot]) - chore(deps): bump docker/build-push-action from 3.1.1 to 3.2.0 #3673 (@dependabot[bot])
- chore(deps): bump docker/login-action from 2.0.0 to 2.1.0 #3682 (@dependabot[bot])
- chore(deps): bump docker/setup-buildx-action from 2.0.0 to 2.2.1 #3679 (@dependabot[bot])
- chore(deps): bump docker/setup-qemu-action from 2.0.0 to 2.1.0 #3675 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.16.3 to 0.17.0 #3604 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.17.0 to 0.17.1 #3619 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.17.1 to 0.17.2 #3644 (@dependabot[bot])
- chore(deps): bump github.com/coreos/go-oidc/v3 from 3.2.0 to 3.3.0 #3605 (@dependabot[bot])
- chore(deps): bump github.com/coreos/go-oidc/v3 from 3.3.0 to 3.4.0 #3612 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 20.10.17+incompatible to 20.10.18+incompatible #3614 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 20.10.18+incompatible to 20.10.19+incompatible #3666 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 20.10.19+incompatible to 20.10.20+incompatible #3694 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 20.10.20+incompatible to 20.10.21+incompatible #3712 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.10 to 0.6.13 #3648 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.13 to 0.8.0 #3731 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.7 to 0.6.8 #3624 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.8 to 0.6.10 #3630 (@dependabot[bot])
- chore(deps): bump github.com/fsnotify/fsnotify from 1.5.4 to 1.6.0 #3713 (@dependabot[bot])
- chore(deps): bump github.com/golangci/golangci-lint from 1.48.0 to 1.50.0 #3667 (@dependabot[bot])
- chore(deps): bump github.com/golangci/golangci-lint from 1.50.0 to 1.50.1 #3697 (@dependabot[bot])
- chore(deps): bump github.com/google/go-cmp from 0.5.8 to 0.5.9 #3611 (@dependabot[bot])
- chore(deps): bump github.com/google/go-jsonnet from 0.18.0 to 0.19.1 #3715 (@dependabot[bot])
- chore(deps): bump github.com/jackc/pgx/v4 from 4.17.1 to 4.17.2 #3603 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.43.0 to 0.44.0 #3620 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.44.0 to 0.45.0 #3650 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.45.0 to 0.46.1 #3729 (@dependabot[bot])
- chore(deps): bump github.com/openzipkin/zipkin-go from 0.4.0 to 0.4.1 #3668 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/client_model from 0.2.0 to 0.3.0 #3696 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.7 to 3.22.8 #3606 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.8 to 3.22.9 #3643 (@dependabot[bot])
- chore(deps): bump github.com/spf13/viper from 1.12.0 to 1.13.0 #3613 (@dependabot[bot])
- chore(deps): bump github.com/spf13/viper from 1.13.0 to 1.14.0 #3728 (@dependabot[bot])
- chore(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 #3695 (@dependabot[bot])
- chore(deps): bump github.com/VictoriaMetrics/fastcache from 1.10.0 to 1.12.0 #3623 (@dependabot[bot])
- chore(deps): bump go.opencensus.io from 0.23.0 to 0.24.0 #3727 (@dependabot[bot])
- chore(deps): bump golang from
403f389
tob448089
#3718 (@dependabot[bot]) - chore(deps): bump golang from
d71125b
to4b2498d
#3626 (@dependabot[bot]) - chore(deps): bump golang from 1.19.0-buster to 1.19.1-buster #3617 (@dependabot[bot])
- chore(deps): bump golang from 1.19.1-buster to 1.19.2-buster #3655 (@dependabot[bot])
- chore(deps): bump golang from 1.19.2-buster to 1.19.3-buster #3733 (@dependabot[bot])
- chore(deps): bump golang.org/x/net from 0.1.0 to 0.2.0 #3748 (@dependabot[bot])
- chore(deps): bump google-github-actions/setup-gcloud from 0.6.0 to 0.6.2 #3674 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.100.0 to 0.101.0 #3714 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.94.0 to 0.95.0 #3618 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.95.0 to 0.96.0 #3622 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.96.0 to 0.97.0 #3629 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.97.0 to 0.98.0 #3645 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.98.0 to 0.99.0 #3670 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.99.0 to 0.100.0 #3693 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.49.0 to 1.50.0 #3649 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.50.0 to 1.50.1 #3669 (@dependabot[bot])
- chore(deps): bump goreleaser/goreleaser-action from 3.1.0 to 3.2.0 #3680 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.27.3 to 4.27.5 #3615 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.27.5 to 4.28.1 #3653 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.28.1 to 4.28.2 #3690 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.28.2 to 4.29.2 #3717 (@dependabot[bot])
- chore(deps): bump stefanzweifel/git-auto-commit-action from 4.14.1 to 4.15.0 #3631 (@dependabot[bot])
- chore(deps): bump stefanzweifel/git-auto-commit-action from 4.15.0 to 4.15.1 #3658 (@dependabot[bot])
- chore(deps): bump stefanzweifel/git-auto-commit-action from 4.15.1 to 4.15.2 #3699 (@dependabot[bot])
- chore(deps): bump stefanzweifel/git-auto-commit-action from 4.15.2 to 4.15.3 #3716 (@dependabot[bot])
- chore(deps): bump stefanzweifel/git-auto-commit-action from 4.15.3 to 4.15.4 #3726 (@dependabot[bot])
v0.19.2 (2023-05-26)
Security
- This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.
Changed
- authorize: enforce service account expiration by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3662
- config: disable envoy admin by default, expose stats via envoy route by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3684
- fileutil: update watcher to use fsnotify and polling (#3663) by @calebdoxsey in https://github.com/pomerium/pomerium/pull/3685
- httputil: remove error details by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3705
- postgres: return an empty list of addresses on dns errors by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3638
- ppl: support special characters in claim keys by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3640
v0.19.1 (2022-09-08)
Changed
c0a88707
authenticate: get/set identity provider id for all sessions (#3608)c3ef43cd
upgrade envoy to v1.23.1 (#3600)
Docker images
docker pull pomerium/pomerium:v0.19.1
docker pull pomerium/pomerium:nonroot-v0.19.1
docker pull pomerium/pomerium:debug-v0.19.1
docker pull pomerium/pomerium:debug-nonroot-v0.19.1
v0.19.0 (2022-09-01)
New
- add the traces error details #3557 (@nhayfield)
- authorize: add policy error details for custom error messages #3542 (@calebdoxsey)
- autocert: add support for ACME TLS-ALPN #3590 (@calebdoxsey)
- config: add branding settings #3558 (@calebdoxsey)
- controlplane: add well-known endpoint to the controlplane http handler #3555 (@calebdoxsey)
- Dynamic style changes #3544 (@nhayfield)
- envoy: upgrade to 1.23.0 #3560 (@calebdoxsey)
- envoyconfig: add virtual host domains for certificates in addition to routes #3593 (@calebdoxsey)
Fixed
- add front end support for optional first paragraph of markdown on err... #3546 (@nhayfield)
- atomicutil: use atomicutil.Value wherever possible #3517 (@calebdoxsey)
- authenticate: add CORS headers to jwks endpoint #3574 (@calebdoxsey)
- authenticate: fix branding for webauthn device registration page #3572 (@calebdoxsey)
- authorize: handle user-unauthenticated response for deny blocks #3559 (@calebdoxsey)
- envoyconfig: add authority header to outbound gRPC requests #3545 (@calebdoxsey)
- Fix typos #3575 (@alexrudd2)
- postgres: remove not null constraint on data column of record changes table #3594 (@calebdoxsey)
- publish to any-distro #3570 (@calebdoxsey)
- sets: convert set types to generics #3519 (@calebdoxsey)
- Update README.md #3569 (@cmo-pomerium)
Dependency
- chore(deps): bump actions/cache from 3.0.5 to 3.0.6 #3537 (@dependabot[bot])
- chore(deps): bump actions/cache from 3.0.6 to 3.0.7 #3552 (@dependabot[bot])
- chore(deps): bump actions/cache from 3.0.7 to 3.0.8 #3565 (@dependabot[bot])
- chore(deps): bump actions/setup-go from 3.2.1 to 3.3.0 #3583 (@dependabot[bot])
- chore(deps): bump actions/setup-python from 4.1.0 to 4.2.0 #3535 (@dependabot[bot])
- chore(deps): bump actions/stale from 5.1.0 to 5.1.1 #3513 (@dependabot[bot])
- chore(deps): bump alpine from
6af1b11
to7580ece
#3512 (@dependabot[bot]) - chore(deps): bump alpine from
7580ece
tobc41182
#3553 (@dependabot[bot]) - chore(deps): bump contrib.go.opencensus.io/exporter/prometheus from 0.4.1 to 0.4.2 #3586 (@dependabot[bot])
- chore(deps): bump debian from
1c34464
to4567e1e
#3508 (@dependabot[bot]) - chore(deps): bump debian from
4567e1e
tob9b1f4a
#3538 (@dependabot[bot]) - chore(deps): bump debian from
b9b1f4a
to3d2aa50
#3588 (@dependabot[bot]) - chore(deps): bump distroless/base from
3a62194
toec73486
#3554 (@dependabot[bot]) - chore(deps): bump distroless/base from
d6db599
to3a62194
#3511 (@dependabot[bot]) - chore(deps): bump distroless/base from
ec73486
to65afaf8
#3568 (@dependabot[bot]) - chore(deps): bump docker/build-push-action from 3.1.0 to 3.1.1 #3536 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.16.0 to 0.16.2 #3532 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.16.2 to 0.16.3 #3563 (@dependabot[bot])
- chore(deps): bump github.com/golangci/golangci-lint from 1.46.2 to 1.47.2 #3499 (@dependabot[bot])
- chore(deps): bump github.com/golangci/golangci-lint from 1.47.2 to 1.47.3 #3522 (@dependabot[bot])
- chore(deps): bump github.com/golangci/golangci-lint from 1.47.3 to 1.48.0 #3541 (@dependabot[bot])
- chore(deps): bump github.com/jackc/pgx/v4 from 4.16.1 to 4.17.0 #3533 (@dependabot[bot])
- chore(deps): bump github.com/jackc/pgx/v4 from 4.17.0 to 4.17.1 #3582 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.42.2 to 0.43.0 #3523 (@dependabot[bot])
- chore(deps): bump github.com/peterbourgon/ff/v3 from 3.1.2 to 3.3.0 #3540 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/client_golang from 1.12.2 to 1.13.0 #3530 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/procfs from 0.7.3 to 0.8.0 #3516 (@dependabot[bot])
- chore(deps): bump github.com/rs/zerolog from 1.27.0 to 1.28.0 #3587 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.6 to 3.22.7 #3524 (@dependabot[bot])
- chore(deps): bump go.uber.org/zap from 1.21.0 to 1.22.0 #3551 (@dependabot[bot])
- chore(deps): bump go.uber.org/zap from 1.22.0 to 1.23.0 #3581 (@dependabot[bot])
- chore(deps): bump golang from
6960d62
to477b10a
#3527 (@dependabot[bot]) - chore(deps): bump golang from
a7a23f1
tod84495e
#3589 (@dependabot[bot]) - chore(deps): bump golang from 1.18-buster to 1.18.4-buster #3509 (@dependabot[bot])
- chore(deps): bump golang from 1.18.4-buster to 1.19.0-buster #3539 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.88.0 to 0.89.0 #3514 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.89.0 to 0.90.0 #3525 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.90.0 to 0.91.0 #3531 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.91.0 to 0.92.0 #3550 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.92.0 to 0.93.0 #3562 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.93.0 to 0.94.0 #3580 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.48.0 to 1.49.0 #3579 (@dependabot[bot])
- chore(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1 #3515 (@dependabot[bot])
- chore(deps): bump goreleaser/goreleaser-action from 3.0.0 to 3.1.0 #3585 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.26.1 to 4.27.2 #3526 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.27.2 to 4.27.3 #3584 (@dependabot[bot])
- chore(deps): bump pomerium/backport from a2e620de9fc4166f774ee2a389e170046cfad426 to 1.1.1 #3564 (@dependabot[bot])
- chore(deps): bump pre-commit/action from 876132a3c26aa072b09eab6c5395b4749eeb2435 to 3.0.0 #3567 (@dependabot[bot])
- chore(deps): bump tibdex/github-app-token from 1.5.1 to 1.6 #3566 (@dependabot[bot])
- deployment: update RELEASING.md #3503 (@desimone)
v0.18.1 (2023-05-26)
Security
- This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.
Changed
- publish to any-distro (#3570) by @calebdoxsey in https://github.com/pomerium/pomerium/pull/3571
- postgres: remove not null constraint on data column of record changes table by @backport-actions-token in https://github.com/pomerium/pomerium/pull/3595
v0.18.0 (2022-07-27)
New
- add databroker multi lease handlers #3255 (@wasaga)
- add lease name to the log #3498 (@wasaga)
- add metrics aggregation #3452 (@wasaga)
- add x-request-id in responses #3366 (@wasaga)
- allow pomerium to be embedded as a library #3415 (@wasaga)
- authenticate: allow changing the authenticate service URL at runtime #3378 (@calebdoxsey)
- authenticate: show the device enrolled page as the user info page #3151 (@calebdoxsey)
- authorize: add name claim #3238 (@calebdoxsey)
- authorize: track session and service account access date #3220 (@calebdoxsey)
- authorize: use query instead of sync for databroker data #3377 (@calebdoxsey)
- databroker: add support for field masks on Put #3210 (@calebdoxsey)
- databroker: add support for putting multiple records #3291 (@calebdoxsey)
- databroker: add support for query filtering #3369 (@calebdoxsey)
- databroker: add support for syncing by type #3412 (@calebdoxsey)
- directory: support non-base64 encoded service accounts #3150 (@calebdoxsey)
- do not require idp set in the bootstrap config, as it may be later configured via the databroker #3386 (@wasaga)
- eliminate global events manager #3422 (@wasaga)
- envoy: upgrade to 1.21.1 #3186 (@calebdoxsey)
- envoy: use typed extension protocol options for static bootstrap cluster #3268 (@calebdoxsey)
- Expand PR template #3403 (@alexfornuto)
- github: pin github actions #3183 (@calebdoxsey)
- grpc: regenerate protobuf code #3208 (@calebdoxsey)
- grpc: wait for connect to be ready before making calls #3253 (@calebdoxsey)
- identity: batch directory updates #3411 (@calebdoxsey)
- integration: add test for query string params #3302 (@calebdoxsey)
- postgres: databroker storage backend #3370 (@calebdoxsey)
- postgres: registry support #3454 (@calebdoxsey)
- storage: add filter expressions, upgrade go to 1.18.1 #3365 (@calebdoxsey)
- storage: add filtering to SyncLatest #3368 (@calebdoxsey)
- try pinning docker dependency #3185 (@calebdoxsey)
- ui: remove version #3184 (@calebdoxsey)
Fixed
- authenticate: fix debug and metrics endpoints #3212 (@calebdoxsey)
- authenticate: fix internal service URL CORS check #3279 (@calebdoxsey)
- authenticate: fix internal service URL dashboard redirect #3305 (@calebdoxsey)
- authenticate: fix internal url with webauthn #3194 (@calebdoxsey)
- authenticate: save session for bare webauthn redirects, consider external service URL to be a pomerium url #3280 (@calebdoxsey)
- authorize: add request id to context #3497 (@calebdoxsey)
- authorize: allow missing user for authorization #3421 (@calebdoxsey)
- authorize: fix device synchronization #3482 (@calebdoxsey)
- authorize: fix not found check #3410 (@calebdoxsey)
- authorize: fix x-forwarded-uri #3479 (@calebdoxsey)
- authorize: pass idp id for webauthn url, allow unauthenticated access to static files #3282 (@calebdoxsey)
- authorize: show plain text error page for traefik and nginx #3477 (@calebdoxsey)
- autocert: continue on error #3476 (@calebdoxsey)
- config: fix DefaultTransport so it is still a *http.Transport #3257 (@calebdoxsey)
- databroker: fix in-memory backend deadlock #3300 (@calebdoxsey)
- deployment: update syntax installing
dlv
in debug image #3179 (@travisgroth) - device enrollment: fix ip address #3430 (@calebdoxsey)
- envoyconfig: prevent nil reproxy handler #3345 (@wasaga)
- fix: close the ticker after opened #3318 (@clwluvw)
- fix: The built binary file is missing "ui/dist/index.js" and "ui/dist... #3391 (@cfanbo)
- github: fix missing groups #3171 (@calebdoxsey)
- httputil/reproxy: fix policy transport #3322 (@calebdoxsey)
- options: fix overlapping certificate test #3492 (@calebdoxsey)
- postgres: fix CIDR query #3389 (@calebdoxsey)
- postgres: fix record deletion #3446 (@calebdoxsey)
- userinfo: embed assets as data URLs for forward auth #3460 (@calebdoxsey)
- userinfo: fix missing profile picture #3154 (@calebdoxsey)
Dependency
- bump envoy to 1.21.3 #3413 (@wasaga)
- chore(deps): bump actions/cache from 2 to 3 #3167 (@dependabot[bot])
- chore(deps): bump actions/cache from 3.0.0 to 3.0.1 #3235 (@dependabot[bot])
- chore(deps): bump actions/cache from 3.0.1 to 3.0.2 #3265 (@dependabot[bot])
- chore(deps): bump actions/cache from 3.0.2 to 3.0.3 #3399 (@dependabot[bot])
- chore(deps): bump actions/cache from 3.0.3 to 3.0.4 #3440 (@dependabot[bot])
- chore(deps): bump actions/cache from 3.0.4 to 3.0.5 #3489 (@dependabot[bot])
- chore(deps): bump actions/checkout from 3.0.0 to 3.0.1 #3275 (@dependabot[bot])
- chore(deps): bump actions/checkout from 3.0.1 to 3.0.2 #3297 (@dependabot[bot])
- chore(deps): bump actions/download-artifact from 2.1.0 to 3 #3202 (@dependabot[bot])
- chore(deps): bump actions/setup-go from 2.2.0 to 3 #3204 (@dependabot[bot])
- chore(deps): bump actions/setup-go from 3.0.0 to 3.1.0 #3362 (@dependabot[bot])
- chore(deps): bump actions/setup-go from 3.1.0 to 3.2.0 #3384 (@dependabot[bot])
- chore(deps): bump actions/setup-go from 3.2.0 to 3.2.1 #3470 (@dependabot[bot])
- chore(deps): bump actions/setup-node from 3.0.0 to 3.1.0 #3236 (@dependabot[bot])
- chore(deps): bump actions/setup-node from 3.1.0 to 3.1.1 #3267 (@dependabot[bot])
- chore(deps): bump actions/setup-node from 3.1.1 to 3.2.0 #3363 (@dependabot[bot])
- chore(deps): bump actions/setup-node from 3.2.0 to 3.3.0 #3400 (@dependabot[bot])
- chore(deps): bump actions/setup-node from 3.3.0 to 3.4.0 #3471 (@dependabot[bot])
- chore(deps): bump actions/setup-node from 3.4.0 to 3.4.1 #3490 (@dependabot[bot])
- chore(deps): bump actions/setup-python from 3.0.0 to 3.1.0 #3234 (@dependabot[bot])
- chore(deps): bump actions/setup-python from 3.1.0 to 3.1.2 #3266 (@dependabot[bot])
- chore(deps): bump actions/setup-python from 3.1.2 to 4 #3439 (@dependabot[bot])
- chore(deps): bump actions/setup-python from 4.0.0 to 4.1.0 #3472 (@dependabot[bot])
- chore(deps): bump actions/stale from 5.0.0 to 5.1.0 #3488 (@dependabot[bot])
- chore(deps): bump actions/upload-artifact from 2.3.1 to 3 #3203 (@dependabot[bot])
- chore(deps): bump actions/upload-artifact from 3.0.0 to 3.1.0 #3374 (@dependabot[bot])
- chore(deps): bump async from 2.6.3 to 2.6.4 #3278 (@dependabot[bot])
- chore(deps): bump contrib.go.opencensus.io/exporter/prometheus from 0.4.0 to 0.4.1 #3164 (@dependabot[bot])
- chore(deps): bump docker/build-push-action from 2.10.0 to 3 #3336 (@dependabot[bot])
- chore(deps): bump docker/build-push-action from 3.0.0 to 3.1.0 #3501 (@dependabot[bot])
- chore(deps): bump docker/login-action from 1.14.1 to 2 #3338 (@dependabot[bot])
- chore(deps): bump docker/setup-buildx-action from 1.6.0 to 1.7.0 #3317 (@dependabot[bot])
- chore(deps): bump docker/setup-buildx-action from 1.7.0 to 2 #3337 (@dependabot[bot])
- chore(deps): bump docker/setup-qemu-action from 1.2.0 to 2 #3339 (@dependabot[bot])
- chore(deps): bump eventsource from 1.1.0 to 1.1.1 #3388 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.15.3 to 0.15.4 #3143 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.15.4 to 0.16.0 #3198 (@dependabot[bot])
- chore(deps): bump github.com/cenkalti/backoff/v4 from 4.1.2 to 4.1.3 #3264 (@dependabot[bot])
- chore(deps): bump github.com/coreos/go-oidc/v3 from 3.1.0 to 3.2.0 #3360 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 20.10.12+incompatible to 20.10.13+incompatible #3142 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 20.10.13+incompatible to 20.10.14+incompatible #3199 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 20.10.14+incompatible to 20.10.15+incompatible #3335 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 20.10.15+incompatible to 20.10.16+incompatible #3359 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 20.10.16+incompatible to 20.10.17+incompatible #3417 (@dependabot[bot])
- chore(deps): bump github.com/fsnotify/fsnotify from 1.5.1 to 1.5.4 #3312 (@dependabot[bot])
- chore(deps): bump github.com/go-redis/redis/v8 from 8.11.4 to 8.11.5 #3166 (@dependabot[bot])
- chore(deps): bump github.com/golangci/golangci-lint from 1.44.2 to 1.45.0 #3162 (@dependabot[bot])
- chore(deps): bump github.com/golangci/golangci-lint from 1.45.0 to 1.45.2 #3200 (@dependabot[bot])
- chore(deps): bump github.com/golangci/golangci-lint from 1.45.2 to 1.46.0 #3334 (@dependabot[bot])
- chore(deps): bump github.com/golangci/golangci-lint from 1.46.0 to 1.46.1 #3357 (@dependabot[bot])
- chore(deps): bump github.com/golangci/golangci-lint from 1.46.1 to 1.46.2 #3373 (@dependabot[bot])
- chore(deps): bump github.com/google/btree from 1.0.1 to 1.1.1 #3402 (@dependabot[bot])
- chore(deps): bump github.com/google/btree from 1.1.1 to 1.1.2 #3434 (@dependabot[bot])
- chore(deps): bump github.com/google/go-cmp from 0.5.7 to 0.5.8 #3315 (@dependabot[bot])
- chore(deps): bump github.com/martinlindhe/base36 from 1.1.0 to 1.1.1 #3437 (@dependabot[bot])
- chore(deps): bump github.com/mholt/acmez from 1.0.2 to 1.0.3 #3469 (@dependabot[bot])
- chore(deps): bump github.com/mitchellh/mapstructure from 1.4.3 to 1.5.0 #3292 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.38.0 to 0.38.1 #3144 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.38.1 to 0.39.0 #3232 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.39.0 to 0.40.0 #3311 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.40.0 to 0.41.0 #3395 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.41.0 to 0.42.1 #3468 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.42.1 to 0.42.2 #3483 (@dependabot[bot])
- chore(deps): bump github.com/ory/dockertest/v3 from 3.8.1 to 3.9.1 #3381 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/client_golang from 1.12.1 to 1.12.2 #3358 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.32.1 to 0.33.0 #3230 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.33.0 to 0.34.0 #3298 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.34.0 to 0.35.0 #3438 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.35.0 to 0.37.0 #3486 (@dependabot[bot])
- chore(deps): bump github.com/rs/zerolog from 1.26.1 to 1.27.0 #3418 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.2 to 3.22.3 #3231 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.3 to 3.22.4 #3313 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.4 to 3.22.5 #3396 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.5 to 3.22.6 #3464 (@dependabot[bot])
- chore(deps): bump github.com/spf13/viper from 1.10.1 to 1.11.0 #3273 (@dependabot[bot])
- chore(deps): bump github.com/spf13/viper from 1.11.0 to 1.12.0 #3380 (@dependabot[bot])
- chore(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1 #3165 (@dependabot[bot])
- chore(deps): bump github.com/stretchr/testify from 1.7.1 to 1.7.2 #3397 (@dependabot[bot])
- chore(deps): bump github.com/stretchr/testify from 1.7.2 to 1.7.3 #3435 (@dependabot[bot])
- chore(deps): bump github.com/stretchr/testify from 1.7.3 to 1.7.5 #3448 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.70.0 to 0.72.0 #3152 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.72.0 to 0.73.0 #3163 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.73.0 to 0.74.0 #3233 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.74.0 to 0.75.0 #3296 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.75.0 to 0.77.0 #3314 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.77.0 to 0.79.0 #3347 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.79.0 to 0.80.0 #3372 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.80.0 to 0.81.0 #3382 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.81.0 to 0.82.0 #3401 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.82.0 to 0.83.0 #3416 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.83.0 to 0.84.0 #3436 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.84.0 to 0.85.0 #3447 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.85.0 to 0.86.0 #3463 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.86.0 to 0.87.0 #3484 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.87.0 to 0.88.0 #3500 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.44.0 to 1.45.0 #3141 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.45.0 to 1.46.0 #3294 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.46.0 to 1.46.2 #3361 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.46.2 to 1.47.0 #3393 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.47.0 to 1.48.0 #3487 (@dependabot[bot])
- chore(deps): bump google.golang.org/protobuf from 1.27.1 to 1.28.0 #3197 (@dependabot[bot])
- chore(deps): bump gopkg.in/yaml.v3 from 3.0.0 to 3.0.1 #3394 (@dependabot[bot])
- chore(deps): bump goreleaser/goreleaser-action from 2.9.1 to 3 #3375 (@dependabot[bot])
- chore(deps): bump jandelgado/gcov2lcov-action from 1.0.8 to 1.0.9 #3376 (@dependabot[bot])
- chore(deps): bump jandelgado/gcov2lcov-action from fc567b789b78d676959759edfb9b7a30e884fc1d to 1.0.9 #3385 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.21.1 to 4.22.1 #3145 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.22.1 to 4.23.1 #3168 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.23.1 to 4.24.2 #3201 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.24.2 to 4.24.5 #3276 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.24.5 to 4.25.1 #3316 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.25.1 to 4.25.2 #3383 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.25.2 to 4.25.3 #3449 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.25.3 to 4.26.1 #3491 (@dependabot[bot])
- chore(deps): bump minimist from 1.2.5 to 1.2.6 #3189 (@dependabot[bot])
- chore(deps): bump minimist from 1.2.5 to 1.2.6 in /ui #3188 (@dependabot[bot])
- chore(deps): bump stefanzweifel/git-auto-commit-action from 4.14.0 to 4.14.1 #3274 (@dependabot[bot])
- deps: bump backport action version #3224 (@travisgroth)
- use generic version of btree #3404 (@wasaga)
Changes
- Allow docs changes without review #3242 (@alexfornuto)
- ci: use forked backport to copy original PR labels #3223 (@travisgroth)
- databroker: support rotating shared secret #3502 (@calebdoxsey)
- deployment: remove vals based entrypoint #3254 (@travisgroth)
- deployment: remove vals based entrypoint #3254 (@travisgroth)
- docs: fix a typo in auth0 config example #3332 (@imlonghao)
- docs: update changelog and upgrade notes for enterprise v0.17 #3105 (@travisgroth)
- github-actions: build docker platforms together #3426 (@calebdoxsey)
- replace fmt.Sprintf with net.JoinHostPort #3407 (@cfanbo)
- Revert "databroker: add support for field masks on Put" #3217 (@calebdoxsey)
- Revert "userinfo: embed assets as data URLs for forward auth" #3474 (@calebdoxsey)
v0.17.4 (2023-05-26)
Security
- This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.
v0.17.3 (2023-05-05)
Changes
- authenticate: fix internal service URL CORS check by @calebdoxsey in https://github.com/pomerium/pomerium/pull/3328
- authenticate: fix internal service URL dashboard redirect by @calebdoxsey in https://github.com/pomerium/pomerium/pull/3306
- DOCS: Add device identity video https://github.com/pomerium/pomerium/pull/3307
- DOCS: Update changelog https://github.com/pomerium/pomerium/pull/3308
- DOCS: update helm values file https://github.com/pomerium/pomerium/pull/3287
- fix: close the ticker after opened by @clwluvw https://github.com/pomerium/pomerium/pull/3323
- httputil/reproxy: fix policy transport by @calebdoxsey https://github.com/pomerium/pomerium/pull/3324
- Update docs for supported Ingress annotations https://github.com/pomerium/pomerium/pull/3325
Full Changelog: https://github.com/pomerium/pomerium/compare/v0.17.2...v0.17.3
v0.17.2 (2022-04-22)
Fixed
- Add UUID to docs yaml blocks (#3251) [#3259] (@alexfornuto)
- authorize: pass idp id for webauthn url, allow unauthenticated access to static files [#3284] (@calebdoxsey)
- config: fix DefaultTransport so it is still a *http.Transport [#3260] (@calebdoxsey)
Dependency
- chore(deps): bump actions/setup-python from 3.1.0 to 3.1.2 [#3266]
v0.17.1 (2022-03-30)
Security Notice
This release includes a fix to a medium severity security issue.
We recommend that all users upgrade.
Security
- authenticate: fix debug and metrics endpoints #3215 (@backport-actions-token[bot])
Fixed
- authenticate: fix internal url with webauthn #3195 (@backport-actions-token[bot])
- github: fix missing groups #3176 (@backport-actions-token[bot])
v0.17.0 (2022-03-04)
New
- adds pomerium version to the user info endpoint #3093 (@nhayfield)
- authenticate: add device-enrolled page #2892 (@calebdoxsey)
- authenticate: fix expiring user info endpoint #2976 (@calebdoxsey)
- controlplane: add compression middleware #3000 (@calebdoxsey)
- directory: save IDP errors to databroker, put event handling in dedicated package #2957 (@calebdoxsey)
- frontend: react+mui #3004 (@calebdoxsey)
- google: support groups for users outside of the organization #2950 (@calebdoxsey)
- grpc: remove ptypes references #3078 (@calebdoxsey)
- last known metric error #2974 (@wasaga)
- remove deprecated ioutil usages #2877 (@cfanbo)
- return explicit error when directory sync is disabled #2949 (@wasaga)
- session: remove unused session state properties #3022 (@calebdoxsey)
- Style update for User Info Endpoint #3055 (@nhayfield)
- userinfo: add webauthn buttons to user info page #3075 (@calebdoxsey)