github authelia/authelia v4.16.0
on GitHub

latest releases: v4.38.8, v4.38.7, v4.38.6...
4 years ago

Important Security Notice/Advisory

This release fixes a security vulnerability located in the file authentication provider. Theoretically an attacker could obtain a list of valid usernames over time to subsequently brute-force. The brute-force attempts would be drastically slowed by regulation making it medium to low severity but it's a vulnerability none the less.

This occurs because we did not hash the password when the username didn't exist, causing a time difference between valid username login attempts and invalid username attempts. The fix was to make sure we check the password against a fake password regardless of if the username exists (we will be changing this to a more efficient method soon, don't worry).

A big thanks to @TheHllm who documented the issue and brought it to our attention. We encourage our community to report to us when a vulnerability is discovered via the process documented in our security policy.

Anyone using the file authentication provider is urged to immediately update and report any bugs to us. This release was quickly pushed due to the bug, and #912 Automatic Profile Refresh - LDAP was expected to be included, however this will be in the next point release (v4.17.0).

Changelog

  • c13525b [RELEASE] v4.16.0 (#952)
  • e95c6a2 [HOTFIX] Prevent Username Enumeration (#950)
  • 6d8f455 [DOCS] Update secrets examples for Docker Compose (#948)
  • aebcb38 [MISC] Fix goimports ordering for repo (#947)
  • 2437f98 [SECURITY] Disable HTTP server header (#946)
  • c9e8a92 [FEATURE] Buffer size configuration and additional http error handling (#944)
  • 2b627c6 [CI] Set concurrency groups at a global level and simplify pipeline (#942)
  • f781d63 [CI] Prevent race conditions with appropriate deployment steps (#941)
  • c9efae0 [DOCS] Add jira auto-login with http headers documentation (#868)
  • 12100d2 [CI] Linting optimisations (#940)
  • f8bd506 [FEATURE] Embed static assets in Go binary (#916)
  • ff2df8b [DOCS] Fix HAProxy typo (#937)
  • 69859aa [DOCS] Update HAProxy code syntax style (#936)
  • dca8a53 [DOCS] Update proxy integration example for HAProxy (#935)
  • 2f8bcef [CI] Adjust linting default excludes to align with goreportcard (#934)
  • 3ba06c2 [MISC] (deps): Bump node from 12-alpine to 14-alpine (#932)
  • 9fc3098 [MISC] (deps): Bump @types/react-dom from 16.9.6 to 16.9.7 in /web (#933)
  • 6c7d5cf [CI] Add Gemfile.lock monitoring to dependabot (#931)
  • ab8db21 [MISC] (deps): Bump node in /internal/suites/example/compose/authelia (#930)
  • 6c0e9f8 [MISC] (deps): Bump node in /internal/suites/example/compose/duo-api (#929)
  • 83d4064 [CI] Add Dockerfile monitoring to dependabot (#928)
  • 1dad484 [MISC] (deps): Bump @material-ui/core from 4.9.11 to 4.9.12 in /web (#927)
  • ac36283 [MISC] (deps): Bump @types/node from 13.13.2 to 13.13.4 in /web (#926)
  • d79e90d [MISC] (deps): Bump @types/react-router-dom from 5.1.4 to 5.1.5 in /web (#925)
  • 5d2b7a1 [MISC] (deps): Bump github.com/fasthttp/router from 1.0.3 to 1.0.4 (#923)
  • 784112d [MISC] Update QEMU to v4.2.0-7 (#921)
  • a90f432 [CI] Update reviewdog level to error (#922)

Docker Container

  • docker pull authelia/authelia:4.16.0
Check out latest releases or
releases around authelia/authelia v4.16.0

Don't miss a new authelia release

NewReleases is sending notifications on new releases.

Get notifications