Security
- This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.
What's Changed
- storage: ignore removed fields when deserializing the data by @backport-actions-token in #3772
- jwt: require logged in user to return .pomerium/jwt by @backport-actions-token in #3809
- oidc: fix token revocation by @backport-actions-token in #3818
- autocert: use atomic pointer to allow nil by @backport-actions-token in #3817
- identity: fix expired session deletion by @backport-actions-token in #3857
- postgres: return unknown records instead of skipping them (#3876) by @calebdoxsey in #3877
- identity: fix nil reference error when there is no authenticator by @backport-actions-token in #3932
Full Changelog: v0.20.0...v0.20.1