See https://docs.goauthentik.io/docs/releases/2024.10#fixed-in-2024103
Note that this security release includes backwards incompatible database changes; see https://docs.goauthentik.io/docs/security/cves/CVE-2024-52289#patches
What's Changed
- providers/ldap: fix global search_full_directory permission not being sufficient (cherry-pick #12028) by @gcp-cherry-pick-bot in #12030
- rbac: fix incorrect object_description for object-level permissions (cherry-pick #12029) by @gcp-cherry-pick-bot in #12043
- web/flows: fix invisible captcha call (cherry-pick #12048) by @gcp-cherry-pick-bot in #12049
- core: fix source_flow_manager throwing error when authenticated user attempts to re-authenticate with existing link (cherry-pick #12080) by @gcp-cherry-pick-bot in #12081
- providers/scim: accept string and int for SCIM IDs (cherry-pick #12093) by @gcp-cherry-pick-bot in #12095
- root: fix activation of locale not being scoped (cherry-pick #12091) by @gcp-cherry-pick-bot in #12096
- root: check remote IP for proxy protocol same as HTTP/etc (cherry-pick #12094) by @gcp-cherry-pick-bot in #12097
- website/docs: group CVEs by year (cherry-pick #12099) by @gcp-cherry-pick-bot in #12100
- internal: add CSP header to files in
/media(cherry-pick #12092) by @gcp-cherry-pick-bot in #12108 - website/docs: add CSP to hardening (cherry-pick #11970) by @gcp-cherry-pick-bot in #12116
- security: fix CVE 2024 52287 (cherry-pick #12114) by @gcp-cherry-pick-bot in #12117
Full Changelog: version/2024.10.2...version/2024.10.3