Skip to content

v0.26.1
Compare
Choose a tag to compare
@kenjenkins kenjenkins released this 01 Jul 23:31
· 2 commits to 0-26-0 since this release
v0.26.1
322066d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

Security

This release includes multiple security updates:

  • The Pomerium user info page (at /.pomerium) unintentionally included serialized OAuth2 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users, and have now been removed. CVE-2024-39315

    Credit to Vadim Sheydaev, aka Enr1g for reporting this issue.

  • This release also includes an update from Envoy 1.30.1 to Envoy 1.30.3 to address multiple security issues:

    • CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream
    • CVE-2024-34363: Crash due to uncaught nlohmann JSON exception
    • CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components
    • CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()
    • CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()
    • CVE-2024-32976: Endless loop while decompressing Brotli data with extra input
    • CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode
    • CVE-2024-38525: datadog tracer does not handle trace headers with unicode characters

  • The release also removes a transitive dependency on the gopkg.in/square/go-jose.v2 library which is vulnerable to GHSA-c5q2-7r4c-mv6g.

What's Changed

Changed

Full Changelog: v0.26.0...v0.26.1

Contributors

kenjenkins
Assets 2
Loading