Security
This release includes multiple security updates:
-
The Pomerium user info page (at
/.pomerium) unintentionally included serialized OAuth2 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users, and have now been removed. CVE-2024-39315Credit to Vadim Sheydaev, aka Enr1g for reporting this issue.
-
This release also includes an update from Envoy 1.30.1 to Envoy 1.30.3 to address multiple security issues:
- CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream
- CVE-2024-34363: Crash due to uncaught nlohmann JSON exception
- CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components
- CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()
- CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()
- CVE-2024-32976: Endless loop while decompressing Brotli data with extra input
- CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode
- CVE-2024-38525: datadog tracer does not handle trace headers with unicode characters
-
The release also removes a transitive dependency on the gopkg.in/square/go-jose.v2 library which is vulnerable to GHSA-c5q2-7r4c-mv6g.
What's Changed
Changed
- envoy: upgrade to v1.30.3 by @kenjenkins in #989
- ci: set core to v0.26.1, set deployment tags by @kenjenkins in #998
Full Changelog: v0.26.0...v0.26.1